How does Tizi spyware affect Android apps?

A new strain of spyware called Tizi has been plaguing Android apps through the Google Play Store. What is Tizi spyware? How does it work, and what can be done to mitigate the threat it poses?

First spotted in September 2017 by Google's Play Protect team, apps infected with Tizi spyware have been around since October 2015. Although Tizi is classified as spyware, newer versions can gain root access to devices running vulnerable versions of Android, enabling it to perform a wide range of operations.

After gaining root access, Tizi spyware-infected apps can steal data from social media apps like Facebook, Twitter, LinkedIn and Telegram; record calls from WhatsApp, Viber and Skype; send and intercept text messages; and access calendar events, call log data, contacts, photos and Wi-Fi encryption keys. Additionally, Tizi-infected apps can record audio when the user is not actively using the phone and take pictures without alerting the user.

According to data gathered by Google, the malware was targeted at users in African countries, with the vast majority of the 1,300 devices affected by Tizi spyware located in Kenya. The attacker targeted fans of the Kenyan fitness brand Tizi by using Twitter and other social media platforms to spread links to a workout app listed on Google Play and other third-party sites. Other Tizi spyware infected apps included a bogus system update and one targeting people who would be interested in installing an app about the National Super Alliance, a Kenyan political coalition also known as NASA.

When the Tizi spyware infected app is first installed, it sends the device's GPS coordinates via text message to a command-and-control server that then communicates with the app via HTTPS and, in a few cases, with the Message Queuing Telemetry Transport. It can root a device via any one of the following nine vulnerabilities: CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636 or CVE-2015-1805. These are all old exploits, and any device with a security patch level of April 2016 or later is "far less exposed to Tizi's capabilities," according to Google.

However, if a Tizi app can't exploit any of these vulnerabilities to take control of a device, it will ask the user to grant it high-level permissions so it can read and send text messages and control phone calls. 

Google has suspended several developer accounts responsible for the apps infected with Tizi spyware, and it has disabled the apps on affected devices using Google Play Protect, a security package introduced last year that actively scans a device using machine learning technology to look for harmful apps. It also provided additional browser protection and anti-theft measures.

While users with newer Android devices are better protected, those who own cheaper and older devices need to be extra vigilant when installing new apps. Users should certainly follow Google's advice for keeping Android devices safe from malware and other potentially harmful applications (PHAs).

• Check permissions. Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send text messages.
• Enable a secure lock screen. Pick a PIN, pattern or password that is easy to remember and hard for others to guess.
• Update devices. Keep devices up to date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.
• Google Play Protect. Ensure Google Play Protect is enabled.
• Practice locating the device. Losing a device is far more likely than installing a PHA.

Users should review potential handset makers and network providers when selecting a mobile device, as it makes a big difference as to how easy or impossible it is to keep a device up to date with the latest security patches. For example, Google, Samsung and LG regularly provide monthly patches, but many handset makers make no commitment to do so, and some network providers can be slow to push new patches to their subscribers. Choosing the cheap option may prove to be costlier in the long term.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)