Google discovers Tizi spyware that steals data on Android devices

Google’s security team has identified spyware that it has named Tizi. This is mainly active in African countries and steals data from Android devices, for example from apps such as WhatsApp and Facebook.

The malware takes advantage of a number of vulnerabilities that have been patched by Google for some time on devices with April 2016 security updates, Google reports. There are several variants of the Tizi malware, which Google identifies as a family of malicious software. Later variants of Tizi can gain root access and use techniques that complicate code analysis.

Once the malware gains root access, it steals sensitive data from apps like WhatsApp, Facebook, Twitter, Skype, Viber, Linkedin, and Telegram. To connect to a command-and-control server, the malware first sends a text message containing a device’s GPS coordinates to a specified number. Then communication with the server takes place via https and in some cases via the mqtt protocol.

The Tizi malware can, among other things, record conversations, take pictures without being noticed, send and receive text messages, and access, for example, contacts and WiFi passwords. Google classifies the malware as a “full-featured backdoor.” By far the most malicious app installations took place in Kenya, followed by Nigeria and Tanzania.

After discovering the malicious software, Google notified the affected individuals and blocked the Google Play accounts of Tizi app developers.