Android spyware found secretly recording WhatsApp, Viber, and Skype chats

Google Play’s security team has shared details of a family of Android malware spotted in the company’s official app store, capable of stealing sensitive data from social media apps and spying on WhatsApp, Viber, and Skype communications.

The malware, known as Tizi, is described as a fully-featured backdoor that can root targeted Android devices and install spyware without the knowledge of the user. Tizi is known to have been used in attacks against devices in a variety of African countries, with the majority of infections being spotted in Kenya.

Tizi-infected apps, say researchers, have been advertised on social media websites, Google Play and third-party sites.

Aside from snooping on communications sent via the likes of WhatsApp, Telegram, Viber, and Skype, Tizi can also send and receive SMS messages, access the user’s call log, calendar, photos, Wi-Fi encryption keys, as well as a list of installed apps. In addition, the Tizi malware is capable of recording ambient audio and taking photographs without the knowledge of users.

After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device’s GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device’s screen.

In short, you’re unwittingly carrying a spy around in your pocket.

The good news is that most Android users don’t seem to have encountered Tizi. Google has identified some 1300 infected devices, with most of the installations based in Kenya.

The natural conclusion is that this is not a widespread attack, but instead an attempt by somebody to launch a focused, targeted attack against carefully-selected targets.

Google says that it spotted the Tizi spyware in September, after it was picked up by automatic scans from Google Play’s built-in scanner – Google Play Protect. However, a deeper investigation uncovered that Tizi-infected apps stretched back as far as October 2015.

Google has suspended the account of the offending app developer, and Google Play Protect was then used to remove the harmful apps from victims’ devices.

Android users are advised to take the following five precautions to better defend their devices:

  • Check permissions: Be cautious with apps that request unreasonable permissions. For instance, a Flashlight app should never need to be able to access your SMS messages.
  • Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
  • Keep your device updated: Ensure that your device is up-to-date with the latest security patches, as malware often exploits known vulnerabilities.
  • Google Play Protect: Ensure Google Play Protect is enabled on your device.
  • Know where your Android device is: Practice finding your device, because you are far more likely to lose your device than install a Potentially Harmful Application (PHA).

This is all good advice, although it has been my experience that many Android devices are woefully out-of-date when it comes to operating system patches – not because of any failing by the user, but rather that an upgrade path has simply never been made available.

Leave a Reply