New tech-support scam hijacks your phone to call bogus hotline
The Google Play Protect team discovered a trojanized app in September after its device scans found an app on Google Play that could root devices with a handful of old vulnerabilities.
The offending app, a supposed workout app called MyTizi, has been removed from the Play Store. After identifying it, Google's malware researchers discovered several other apps with the same capabilities and removed them too.
The oldest Tizi app has been available since October 2015, but Google notes that only newer versions have rooting capabilities. The attacker was using Twitter and other social-media platforms to spread links to Play Store listings and third-party sites.
According to Google, Tizi has similar capabilities to commercial spyware and after gaining root steals data from Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
It can also record calls from WhatsApp, Viber, and Skype, as well as access calendar events, call log data, contacts, photos, Wi-Fi encryption keys, and a list of installed apps.
Additionally, it can record audio when the user is not actively using the phone and take pictures without displaying the image on the screen.
The malware was used in targeted attacks, with the vast majority of infected devices located in Kenya, but there was also a significant number of infections in Nigeria and Tanzania.
One of the other Tizi-infected apps, for example, appeared to target people who would be interested in installing an app about the National Super Alliance, a Kenyan political coalition known as NASA. Another Tizi-infected app was a bogus system update.
Google shared the examples from VirusTotal to encourage security researchers to dig into this malware.
The company has suspended several developer accounts responsible for the Tizi-infected apps and has disabled the apps on affected devices using Google Play Protect. Google found 1,300 devices affected by Tizi.
The Twitter account spreading links to the MyTizi app was still today posting links to the now-removed Play Store page.
All devices with a security patch level of April 2016 or later are "far less exposed to Tizi's capabilities", according to Google.
Among nine vulnerabilities the Tizi apps use to root devices were the so-called Towel Root CVE-2014-3153, and Ping Pong Root CVE-2015-3636 flaws.
The most recently patched flaw was CVE-2015-1805, or Pipe Root, a kernel exploit that researchers at Zimperium found in a rooting app called KingRoot. Google published a fix for this flaw to the Android Open Source Project (AOSP) in March 2016.
However, the patch for Pipe Root highlights the problem that Android users face, particularly for users who own cheaper and older devices.
Google quickly patched affected Nexus 5 and Nexus 6 devices, but it's likely many other Android OEMs did not follow suit.
The same problem applies to Google's Android monthly patches in general: Google and some larger handset makers such as Samsung and LG regularly provide monthly patches, but many handset makers make no commitment to do so.
Previous and related coverage
Fraudsters are managing to get fake WhatsApp apps published on the Play Store.
Google rolls out a host of features to boost the appeal of Play Store app subscriptions.
Tech Pro Research surveyed IT professionals about their companies' cybersecurity readiness in the face of threats presented by mobile and IoT-connected devices