Tizi: Detecting and blocking socially engineered spyware on Android
Google is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on a small number of devices to achieve a certain goal.
This blog post covers Tizi, a backdoor family with some rooting capabilities that was used in a targeted attack against devices in African countries, specifically: Kenya, Nigeria, and Tanzania. We’ll talk about how the Google Play Protect and Threat Analysis teams worked together to detect and investigate Tizi-infected apps and remove and block them from Android devices.
What is Tizi?
Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.
Here is an example social media post promoting a Tizi-infected app:


- Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight app shouldn’t need access to send SMS messages.
- Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
- Update your device: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.
- Google Play Protect: Ensure Google Play Protect is enabled.
- Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.
- CVE-2012-4220
- CVE-2013-2596
- CVE-2013-2597
- CVE-2013-2595
- CVE-2013-2094
- CVE-2013-6282
- CVE-2014-3153
- CVE-2015-3636
- CVE-2015-1805
Package name
|
SHA256 digest
|
SHA1 certificate
|
com.press.nasa.com.tanofresh
|
4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7
|
816bbee3cab5eed00b8bd16df56032a96e243201
|
com.dailyworkout.tizi
|
7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f
|
404b4d1a7176e219eaa457b0050b4081c22a9a1a
|
com.system.update.systemupdate
|
7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e
|
4d2962ac1f6551435709a5a874595d855b1fa8ab
|
Filename
|
SHA256 digest
|
run_root_shell
|
f2e45ea50fc71b62d9ea59990ced755636286121437ced6237aff90981388f6a
|
iovyroot
|
4d0887f41d0de2f31459c14e3133debcdf758ad8bbe57128d3bec2c907f2acf3
|
filesbetyangu.tar
|
9869871ed246d5670ebca02bb265a584f998f461db0283103ba58d4a650333be
|
[ad_2]