Google's security team discovered a new strain of Android malware, named Tizi, and which has been used primarily to target users in African countries.
Categorized as spyware, Google says Tizi can carry out a wide range of operations, but most focus on social media apps and activity.
According to Google Threat Analysis Group and Google Play Protect security engineers, Tizi can be used for the following malicious purposes:
⌯ Can steal data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
⌯ Can record calls from WhatsApp, Viber, and Skype.
⌯ Can record ambient audio through the microphone.
⌯ Can take pictures of the screen without alerting the user.
⌯ Can send and intercept SMS messages on infected devices.
⌯ Can access contacts, calendar events, call logs, photos, Wi-Fi encryption keys, and a list of all locally installed apps.
⌯ When it first infects users, it sends the device's GPS coordinates via SMS to a C&C server.
⌯ Subsequent communications with the attacker's C&C server takes place via HTTPS, or in some isolated cases, via MQTT.
⌯ Can root devices via one of the following vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805.
Tizi-infected apps were around since 2015
Google engineers say they spotted the Tizi spyware in September 2017, when automatic scans with Google Play Protect —an Android app security scanner incorporated into the Google Play Store app— discovered a Tizi-infected app that was installed on a user's device via the official Google Play Store.
After investigating older versions of apps uploaded on the Play Store, they spotted more Tizi-infected apps going back as far as October 2015.
Google says it suspended the app's developer account and then used the Google Play Store app to uninstall the Tizi apps from infected devices.
