



What is the scope of Tizi?









What are we doing?





To protect Android devices and users, we used Google Play Protect to disable Tizi-infected apps on affected devices and have notified users of all known affected devices. The developers' accounts have been suspended from Play.





The Google Play Protect team also used information and signals from the Tizi apps to update Google's on-device security services and the systems that search for PHAs. These enhancements have been enabled for all users of our security services and increases coverage for Google Play users and the rest of the Android ecosystem.





Additionally, there is more technical information below to help the security industry in our collective work against PHAs.









What do I need to do?





Through our investigation, we identified around 1,300 devices affected by Tizi. To reduce the chance of your device being affected by PHAs and other threats, we recommend these 5 basic steps:

Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send SMS messages.

Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn't need access to send SMS messages. Enable a secure lock screen : Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.

: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess. Update your device : Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.

: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack. Google Play Protect : Ensure Google Play Protect is enabled.

: Ensure Google Play Protect is enabled. Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.





How does Tizi work?





The Google Play Protect team had previously classified some samples as spyware or backdoor PHAs without connecting them as a family. The early Tizi variants didn't have rooting capabilities or obfuscation, but later variants did.





After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device's GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device's screen.





Tizi can root the device by exploiting one of the following local vulnerabilities:

CVE-2012-4220

CVE-2013-2596

CVE-2013-2597

CVE-2013-2595

CVE-2013-2094

CVE-2013-6282

CVE-2014-3153

CVE-2015-3636

CVE-2015-1805 Most of these vulnerabilities target older chipsets, devices, and Android versions. All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date. Devices with this patch level or later are far less exposed to Tizi's capabilities. If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.









Samples uploaded to VirusTotal





To encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.





Package name SHA256 digest SHA1 certificate com.press.nasa.com.tanofresh 4d780a6fc18458311250d4d1edc750 468fdb9b3e4c950dce5b35d4567b47 d4a7 816bbee3cab5eed00b8bd16df56032 a96e243201 com.dailyworkout.tizi 7c6af091a7b0f04fb5b212bd3c180d dcc6abf7cd77478fd22595e5b7aa7c fd9f 404b4d1a7176e219eaa457b0050b40 81c22a9a1a com.system.update.systemupdate 7a956c754f003a219ea1d2205de3ef 5bc354419985a487254b8aeb865442 a55e 4d2962ac1f6551435709a5a874595d 855b1fa8ab









Additional digests linked to Tizi





To encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.



