Norway


What is the scope of Tizi?

Detecting and blocking socially engineered spyware on Android - Tizi2 - Detecting and blocking socially engineered spyware on Android

What are we doing?

To protect Android devices and users, we used Google Play Protect to disable Tizi-infected apps on affected devices and have notified users of all known affected devices. The developers’ accounts have been suspended from Play.

The Google Play Protect team also used information and signals from the Tizi apps to update Google’s on-device security services and the systems that search for PHAs. These enhancements have been enabled for all users of our security services and increases coverage for Google Play users and the rest of the Android ecosystem.

Additionally, there is more technical information below to help the security industry in our collective work against PHAs.

What do I need to do?

Through our investigation, we identified around 1,00 devices affected by Tizi. To reduce the chance of your device being affected by PHAs and other threats, we recommend these 5 basic steps:

  • Check permissions: Be cautious with apps that request unreasonable permissions. For example, a flashlight shouldn’t need access to send SMS messages.
  • Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
  • Update your device: Keep your device up-to-date with the latest security patches. Tizi exploited older and publicly known security vulnerabilities, so devices that have up-to-date security patches are less exposed to this kind of attack.
  • Google Play Protect: Ensure Google Play Protect is enabled.
  • Locate your device: Practice finding your device, because you are far more likely to lose your device than install a PHA.

How does Tizi work?

The Google Play Protect team had previously classified some samples as or backdoor PHAs without connecting them as a family. The early Tizi variants didn’t have rooting capabilities or obfuscation, but later variants did.

After gaining root, Tizi steals sensitive from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device’s GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device’s screen.

Tizi can root the device by exploiting one of the following local vulnerabilities:

  • CVE-2012-4220
  • CVE-2013-2596
  • CVE-2013-2597
  • CVE-2013-2595
  • CVE-2013-2094
  • CVE-2013-6282
  • CVE-2014-3153
  • CVE-2015-3636
  • CVE-2015-1805

Most of these vulnerabilities target older chipsets, devices, and Android versions. All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date. Devices with this patch level or later are far less exposed to Tizi’s capabilities. If a Tizi app is unable to take control of a device because the vulnerabilities it tries to use are are all patched, it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.

Samples uploaded to VirusTotal

To encourage further research in the security community, here are some sample applications embedding Tizi that were already on VirusTotal.

Package name

SHA256 digest

SHA1 certificate

com.press.nasa.com.tanofresh

4d780a6fc18458311250d4d1edc750468fdb9b3e4c950dce5b35d4567b47d4a7

816bbee3cab5eed00b8bd16df56032a96e243201

com.dailyworkout.tizi

7c6af091a7b0f04fb5b212bd3c180ddcc6abf7cd77478fd22595e5b7aa7cfd9f

404b4d1a7176e219eaa457b0050b4081c22a9a1a

com.system.update.systemupdate

7a956c754f003a219ea1d2205de3ef5bc354419985a487254b8aeb865442a55e

4d2962ac1f65514709a5a874595d855b1fa8ab

Additional digests linked to Tizi

To encourage further research in the security community, here are some sample digests of exploits and utilities that were used or abused by Tizi.

Filename

SHA256 digest

run_root_shell

f2e45ea50fc71b62d9ea59990ced755636286121437ced6237aff90981388f6a

iovyroot

4d0887f41d0de2f31459c14e3133debcdf758ad8bbe57128d3bec2c907f2acf3

filesbetyangu.tar

9869871ed246d5670ebca02bb265a584f998f461db02833ba58d4a650333be



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here