Google recently discovered and disposed of a number of Android applications form the Play Store, all of which contained the so-called “Tizi” backdoor, allowing for spyware to be installed in order to steal sensitive data from popular social media apps. These malware-infested applications have now been removed from the Play Store and users of all known affected devices have been notified about the matter. In addition, Google suspended their developers’ accounts from the platform, while the Google Play Protect team used information and signals from the identified apps to update its own on-device security services designed to search for potentially harmful applications.
Tizi is a full-fledged backdoor that can lean on vulnerabilities and exploits within the Android operating system in order to gain root access to a device. Once Tizi gains root access, it usually contacts its command-and-control servers by sending an SMS containing the infected device’s GPS coordinates. The backdoor can then be used to intercept and steal sensitive data from popular social media applications including Twitter, Facebook, WhatsApp, Skype, Viber, LinedIn, and Telegram. It can also send and receive SMS, access call logs, on-device photos, calendar events, contact lists, and even Wi-Fi encryption keys. Furthermore, Tizi applications are capable of recording ambient audio and capture images using the device’s camera without displaying the photo on the screen.
The good news is that Tizi is actually an older backdoor originally discovered in 2015, and the Android OS vulnerabilities that can be exploited by it have already been fixed with the April 2016 security update. Having said that, smartphones running at least the aforementioned security patch should be safe but with the Android ecosystem being made up of older and newer devices alike, and not every Android smartphone in the wild is protected by the April 2016 security update. According to Google, the recent investigation led to identifying roughly 1,300 devices affected by Tizi, the vast majority of which are located in Kenya. A smaller number of devices have also been affected in Nigeria, Tanzania, as well as the United States. As for how to avoid the malware, Google recommends checking for suspicious permissions when installing new apps from the Play Store and advises Android smartphone users to enable a lock screen, as well as Play Protect, while ensuring their device is running the latest security patch possible.