The mission of an Android backdoor that hit over 1,000 devices was to steal sensitive data from social media apps, researchers said.
The malware, which Google researchers are calling Tizi, has rooting capabilities and has been already used in a series of targeted attacks against victims in Kenya, Nigeria, and Tanzania.
Discovered by the Google Play Protect team in September, the backdoor appears to have been in use since October 2015.
Tizi implements spyware that allows it to steal sensitive data from the targeted applications, Google researchers said in a post.
The malware attempts to exploit old vulnerabilities to gain root access on the infected Android devices, and its developer also uses a website and social media to lure users into installing more apps from Google Play and third-party websites.
Google found over 1,300 devices affected by the malware. To add insult to injury, newer Tizi variants include rooting capabilities that attempt to exploit a series of local vulnerabilities, including CVE-2012-4220, CVE-2013-2596, CVE-2013-2597, CVE-2013-2595, CVE-2013-2094, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636, and CVE-2015-1805.
Since most of these vulnerabilities target older chipsets, devices, and Android versions, users running a security patch level of April 2016 or later are far less exposed to Tizi’s capabilities.
If none of the exploits work, the Tizi apps attempting to gain root will switch to perform the action through the high level of permissions it asks from the user.
Once it has gained root on the compromised device, the threat can proceed to stealing sensitive data from popular social media apps such as Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
After infection, the malware usually contacts its command and control (C&C) by sending an SMS with the device’s GPS coordinates to a specific number. Subsequent communication with the C&C, however, is performed over HTTPS, but some versions of the malware also use the MQTT messaging protocol to connect to a custom server.
To reduce the chance of your device being affected by PHAs and other threats, the reserchers recommend these 5 steps:
• Check permissions: Be cautious with apps that request unreasonable permissions. One case in point, a flashlight app shouldn’t need access to send SMS messages.
• Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
• Update your device: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.
• Google Play Protect: Ensure Google Play Protect is enabled.
• Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.