MyTizi Spyware

Google Find Tizi Android Spyware infected 1300 African devices

Google has exposed their recent work to root out android apps infected with spyware called Tizi. The device scanner of a company found an app which can root android device with a handful of old vulnerabilities in September. The app known as MyTizi has been removed from the Play Store now. After detecting it, Google’s protecting team found several more apps with the same capabilities and removed them too. Below are list of few apps I found which are removed from Google play store. (4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7)

com.dailyworkout.tizi (7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f)

com.system.update.systemupdate (7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e)

The first Tizi app was available since October 2015 in Google Play Store, but Google has noticed that only updated versions have root capabilities. The attacker spread links to play store listing mainly from twitter and other social media account with attractive graphics and third-party sites.

Tizi performs the job like any commercial spyware program after root access of any android device. Here below I am highlighting the trouble with Tizi.

  • Retrieve data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, LinkedIn, Skype, and Telegram.
  • Has ability to record calls from Viber, WhatsApp, and Skype.
  • It can record ambient audio from the microphone.
  • Capture screenshot without alerting the user.
  • Ability to send and catch message on infected devices
  • Access contacts, call logs, calendar events, photos, Wi-Fi encryption keys, and a list of all locally installed apps.
  • First infects users send the device’s GPS coordinates via SMS to a C&C server
  • Subsequent connections with the attacker’s C&C server takes place via HTTPS, or in some remote cases, via MQTT
  • Ability to root device any of the following vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, CVE-2015-1805

The majority infected devices are found in Kenya and few more South African countries such as Nigeria, Tanzania, and more.  One of the other Tizi-infected apps, for example, appeared to target people who would be involved in installing an app about the National Super Alliance, a Kenyan political coalition known as NASA. Another Tizi-infected app was a bogus system update.

To fight against this malware Google shared the examples from VirusTotal to encourage security researchers.

Google has banned suspended developer accounts responsible for the Tizi-infected apps and has disabled the apps on affected devices using Google Play Protect. Google found 1,300 devices are affected by Tizi. As per Google security patch level of April 2016 or later are “far less exposed to Tizi’s capabilities”.

The most newly patched flaw was CVE-2015-1805, or Pipe Root, a kernel develop that researchers at Zimperium found in a rooting app called KingRoot. Google published a fix for this flaw to the Android Open Source Project (AOSP) in March 2016. The cheaper and older android devices users face the Root highlights the problem. The changes will help find out this kind of malware in the future, Google says.

Google speedily patched affected Nexus 5 and Nexus 6 devices, but it’s likely many other Android OEMs did not follow suit. Google and some larger handset makers such as Samsung and LG frequently provide monthly patches, but many handset makers make no commitment to do so.