3 min read

Android spyware found secretly recording WhatsApp, Viber, and Skype chats

Graham CLULEY

November 29, 2017

Android spyware found secretly recording WhatsApp, Viber, and Skype chats

Google Play’s security team has shared details of a family of Android malware spotted in the company’s official app store, capable of stealing sensitive data from social media apps and spying on WhatsApp, Viber, and Skype communications.

The malware, known as Tizi, is described as a fully-featured backdoor that can root targeted Android devices and install spyware without the knowledge of the user. Tizi is known to have been used in attacks against devices in a variety of African countries, with the majority of infections being spotted in Kenya.

Tizi-infected apps, say researchers, have been advertised on social media websites, Google Play and third-party sites.

Aside from snooping on communications sent via the likes of WhatsApp, Telegram, Viber, and Skype, Tizi can also send and receive SMS messages, access the user’s call log, calendar, photos, Wi-Fi encryption keys, as well as a list of installed apps. In addition, the Tizi malware is capable of recording ambient audio and taking photographs without the knowledge of users.

After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device’s GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device’s screen.

In short, you’re unwittingly carrying a spy around in your pocket.

The good news is that most Android users don’t seem to have encountered Tizi. Google has identified some 1300 infected devices, with most of the installations based in Kenya.

The natural conclusion is that this is not a widespread attack, but instead an attempt by somebody to launch a focused, targeted attack against carefully-selected targets.

Google says that it spotted the Tizi spyware in September, after it was picked up by automatic scans from Google Play’s built-in scanner – Google Play Protect. However, a deeper investigation uncovered that Tizi-infected apps stretched back as far as October 2015.

Google has suspended the account of the offending app developer, and Google Play Protect was then used to remove the harmful apps from victims’ devices.

Android users are advised to take the following five precautions to better defend their devices:

  • Check permissions: Be cautious with apps that request unreasonable permissions. For instance, a Flashlight app should never need to be able to access your SMS messages.
  • Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
  • Keep your device updated: Ensure that your device is up-to-date with the latest security patches, as malware often exploits known vulnerabilities.
  • Google Play Protect: Ensure Google Play Protect is enabled on your device.
  • Know where your Android device is: Practice finding your device, because you are far more likely to lose your device than install a Potentially Harmful Application (PHA).

This is all good advice, although it has been my experience that many Android devices are woefully out-of-date when it comes to operating system patches – not because of any failing by the user, but rather that an upgrade path has simply never been made available.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read