The Google Play Protect team found out a new strain of Android spyware called Tizi, inside several apps previously available via the Google Play marketplace. The recent discovery triggered a wider investigation by Google who informed that apps infected by the Tizi malware date back to 2015.
Tizi allowed an attacker to root a targeted device and steal sensitive data from apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn and Telegram. Specific geographies targeted were Kenya, Nigeria and Tanzania, Google said. A smaller number of victims resided in the United States, researchers said.
Researchers wrote in a Google Security Blog post, “The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps.”
The Tizi malware can also record ambient audio via the phone’s microphone and silently take pictures with no on-screen notifications alerting the phone’s owner.
Google added, “Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server.”
Google Play Protect team said it discovered the spyware in September 2017, with the oldest sample dating back to October 2015. “The early Tizi variants didn’t have rooting capabilities or obfuscation, but later variants did,” researchers wrote further.
Google shared that it identified 1,300 devices affected by Tizi.
Initially Tizi was discovered on a workout app “com.dailyworkout.tizi” that was promoted via social media and meant to appeal to fans of the Kenyan fitness brand Tizi. “The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites,” Google said. Other Tizi-laced apps (com.press.nasa.com.tanofresh and com.system.update.systemupdate) were also found.