A recently discovered Android malware variant has given Google a much-needed security victory.
Called Tizi, it’s a family of backdoor malware that specifically targets social media. Google picked up on it in September and has managed to “detect and investigate Tizi-infected apps and remove and block them from Android devices.”
The scale of the victory over Tizi is small, but it couldn’t come at a better time for Google. 2017 has brought a string of severe malware outbreaks to Android. Most of them simply waltzed past Google Play Protect, Google Play’s built-in anti-malware system, undetected—and that’s reason enough to make an Android user question their device’s security.
Tizi had the potential to be very serious, but Google said its threat analysis and Google Play Protect teams have killed it well before it became a widespread problem.
The tizzy Tizi could have caused
Tizi malware was only found on a handful (1,300) Android devices located primarily in Kenya, Nigeria, and Tanzania. Tizi was discovered by the Google Play Protect team when device scans found app packages that had root capabilities gained through older known exploits.
Using the malicious app the team discovered, they were able to discover that Tizi had been around since 2015 and that its developer even had a website and social media presence designed to trick people into downloading one of several Tizi apps that contained the malware.
SEE: Mobile device computing policy (Tech Pro Research)
Once installed, Tizi would gain root access and then steal information from social media apps. It could also send and receive SMS messages, record phone calls, access other apps like the calendar and photos, and retrieve system info like stored Wi-Fi keys. Perhaps most troubling, it could record and transmit ambient sound and take pictures without alerting the device owner.
If Tizi couldn’t gain root access, it would still request permissions from the device owner to allow it to function. Basically, it was a run-of-the-mill piece of backdoor Android malware, but this time Google caught it.
Tizi is dead, but what about other malware?
Google said it used Play Protect to disable Tizi apps and remove them, notified users that they were infected, and terminated the developer’s accounts.
Most importantly, Google said it has used “information and signals from the Tizi apps to update Google’s on-device security services and the systems that search for PHAs [potentially harmful applications]” and has rolled the updates out to every Google Play Protect user.
SEE: Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic/ZDNet special report)
As mentioned above, Tizi was a small-scale outbreak, and while it’s good that Google caught it, it’s still important to note that the company also said Tizi had been around since 2015, meaning it took two years for the teams to find it.
Malware like Tizi isn’t even the main concern for Android users—it’s multi-stage attacks like those found in early November that don’t contain malware until they’ve been installed and have retrieved it from a command and control server.
It’s good to know that Google found a way to better detect typical backdoor-exploiting malware, but Android users shouldn’t let that lull them into a false sense of security. The real widespread threats are still nearly impossible for Play Protect to detect.
The top three takeaways for TechRepublic readers:
- Google discovered a malware app on the Play Store called Tizi, which was specifically targeting social media accounts. The malware was found on less than 2,000 devices, mainly in Africa.
- Google is citing Tizi’s discovery and elimination as a victory for Google Play Protect, and it is, considering the recent waves of Android malware that have been spreading from the Play Store.
- The biggest threat to Android devices isn’t typical malware like Tizi—it’s multi-stage attacks that don’t contain code that Google Play can use to detect malware. Until Play Protect is able to dig down to that level, Android devices are still vulnerable.