Google has kicked out a number of apps from its Play Store that belonged to the same malware family and were used by their developer to steal sensitive data from apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.
The malware family could record calls and steal data from popular Android apps and could access call logs, contacts, photos and calendar events on devices.
The malware family, named Tizi, first appeared on the Play Store in October 2015 and enjoyed the largest number of downloads in African countries like Kenya, Nigeria, and Tanzania. Google’s security and threat analysis teams observed that these apps had rooting capabilities and could steal data from other popular Android apps.
Google also confirmed that the malware family infected around 1,300 Android devices and asked for various unreasonable permissions from users while being downloaded. These apps then exploited older and publicly known security vulnerabilities that weren’t fixed yet.
‘After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device’s GPS coordinates to a specific number,’ said researchers at Google.
They added that apps belonging to the Tizi malware family could, before they were kicked out, record calls from WhatsApp, Viber, and Skype; send and receive SMS messages, and access calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. These apps could also record ambient audio and take pictures without displaying the image on the device’s screen.
‘All of the listed vulnerabilities are fixed on devices with a security patch level of April 2016 or later, and most of them were patched considerably prior to this date. Devices with this patch level or later are far less exposed to Tizi’s capabilities,’ they said.
How to protect yourself from malicious apps?
To ensure users are not affected by apps with similar capabilities in the future, Google is now asking users to be wary of apps that request unreasonable permissions, enable secure lock screens, keep their devices updated with the latest security patches, and install the new Google Play Protect malware detection software.
This is because if a malware-carrying app, like apps belonging to the Tizi family, is unable to take control of a device which has been updated with the latest patches, it will try to gain access to devices by requesting high level of permissions from users. These permissions include reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls.
Earlier this month, security researchers at ESET identified a new set of legitimate-looking malicious apps on the Google Play Store that contained multi-stage Android malware and bypassed the Play Store’s security controls to infiltrate mobile devices.
According to the researchers, these apps featured delayed onset of malicious activity, as well as advanced anti-detection features like multi-stage architecture and encryption and multi-stage payload delivery which were invisible to users.
Even though eight such apps were discovered, the researchers did not rule out the possibility of similar malicious apps still hiding inside the Play Store. As such, Android device users should not rely fully on the stores’ protections and should check app ratings and comments, pay attention to what permissions they grant to apps, and run a quality security solution on their mobile devices.