The Daily Swig Web security digest

Google blocks backdoored apps targeting African users

James Walker | 28 November 2017 at 15:47

Tizi found to be harvesting sensitive data from devices.

Google security researchers have removed and blocked a series of apps on the Google Play store that were capable of stealing sensitive data from compromised devices.

According to the tech giant’s Threat Analysis Group, the Google Play Protect security team recently discovered that a backdoor family with some rooting capabilities was being used in targeted attacks against devices in Kenya, Nigeria, and Tanzania.

The backdoor – dubbed ‘Tizi’ – installs spyware to steal sensitive data from popular social media applications.

“The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities,” the researchers said.

“The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.”

After gaining root, Tizi can steal sensitive data from popular social media apps including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

“The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, WiFi encryption keys, and a list of all installed apps,” the group said.

Through its investigation, Threat Analysis Group identified around 1,300 devices that were affected by Tizi. The researchers noted, however, that the backdoor exploits vulnerabilities in Android that were patched in April 2016, so those using an up-to-date device are protected.

“To protect Android devices and users, we used Google Play Protect to disable Tizi-infected apps on affected devices and have notified users of all known affected devices,” Threat Analysis Group said. “The developers’ accounts have been suspended from Play.”