Tizi backdoor rooted Android devices by exploiting old vulnerabilities

Google has discovered and removed from Google Play a number of apps that contained the Tizi backdoor, which installs spyware to steal sensitive data from popular social media applications.

Victims of the Tizi backdoor

The backdoor got the name from one of the apps it was included in (com.dailyworkout.tizi). The app was apparently a workout app, and its name was probably chosen to mentally associate it with Tizi, a wellness/fitness brand from Kenya.

Another app by the same developer seems like it could have been a fake app for following happenings related to a Kenyan political coalition/movement (com.press.nasa.com.tanofresh). A third one – com.system.update.systemupdate was likely a generic fake system update app.

Google found a total of 1,300 devices affected by Tizi, the great majority of which were installed by users from Kenya, followed by a much smaller percentage of Nigerian and Tanzanian users.

The backdoor’s capabilities

Google says its Google Play Protect security team discovered the Tizi family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities.

“The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites,” they noted.

“The Google Play Protect team had previously classified some samples as spyware or backdoor PHAs without connecting them as a family. The early Tizi variants didn’t have rooting capabilities or obfuscation, but later variants did.”

The malware can root target devices by exploiting one of nine vulnerabilities, the most recent of which dates back to 2015, and the oldest to 2012. All of them have been patched by April 2016. But even if the malware wasn’t able to root a target device by exploiting these vulnerabilities, it could still read and send SMS messages and monitor, redirect, and prevent outgoing phone calls.

If it managed to root the device, Tizi was far more powerful: in addition to these aforementioned capabilities, it could also:

• Record calls from WhatsApp, Viber, and Skype
• Steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram
• Record ambient audio and take pictures
• Access calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps.

Google’s cleaning efforts

As mentioned before, Google has removed the backdoored apps from Google Play, and has suspended the developer’s Google Play account has since been suspended.

The company has also used Google Play Protect to disable the backdoored apps equipped from affected devices and has notified users of all known affected devices.

They’ve uploaded samples of the malware on VirusTotal, and have shared sample digests of exploits and utilities that were used or abused by Tizi, in order to help the research community delve into the malware.

The Twitter account spreading links to the backoored MyTizi app is still up, but it still points to the removed Google Play Store page for the app.