Industry News

Android spyware found secretly recording WhatsApp, Viber, and Skype chats

Google Play’s security team has shared details of a family of Android malware spotted in the company’s official app store, capable of stealing sensitive data from social media apps and spying on WhatsApp, Viber, and Skype communications.

The malware, known as Tizi, is described as a fully-featured backdoor that can root targeted Android devices and install spyware without the knowledge of the user. Tizi is known to have been used in attacks against devices in a variety of African countries, with the majority of infections being spotted in Kenya.

Tizi-infected apps, say researchers, have been advertised on social media websites, Google Play and third-party sites.

Aside from snooping on communications sent via the likes of WhatsApp, Telegram, Viber, and Skype, Tizi can also send and receive SMS messages, access the user’s call log, calendar, photos, Wi-Fi encryption keys, as well as a list of installed apps. In addition, the Tizi malware is capable of recording ambient audio and taking photographs without the knowledge of users.

After gaining root, Tizi steals sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram. It usually first contacts its command-and-control servers by sending an SMS with the device’s GPS coordinates to a specific number. Subsequent command-and-control communications are normally performed over regular HTTPS, though in some specific versions, Tizi uses the MQTT messaging protocol with a custom server. The backdoor contains various capabilities common to commercial spyware, such as recording calls from WhatsApp, Viber, and Skype; sending and receiving SMS messages; and accessing calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. Tizi apps can also record ambient audio and take pictures without displaying the image on the device’s screen.

In short, you’re unwittingly carrying a spy around in your pocket.

The good news is that most Android users don’t seem to have encountered Tizi. Google has identified some 1300 infected devices, with most of the installations based in Kenya.

The natural conclusion is that this is not a widespread attack, but instead an attempt by somebody to launch a focused, targeted attack against carefully-selected targets.

Google says that it spotted the Tizi spyware in September, after it was picked up by automatic scans from Google Play’s built-in scanner – Google Play Protect. However, a deeper investigation uncovered that Tizi-infected apps stretched back as far as October 2015.

Google has suspended the account of the offending app developer, and Google Play Protect was then used to remove the harmful apps from victims’ devices.

Android users are advised to take the following five precautions to better defend their devices:

  • Check permissions: Be cautious with apps that request unreasonable permissions. For instance, a Flashlight app should never need to be able to access your SMS messages.
  • Enable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard for others to guess.
  • Keep your device updated: Ensure that your device is up-to-date with the latest security patches, as malware often exploits known vulnerabilities.
  • Google Play Protect: Ensure Google Play Protect is enabled on your device.
  • Know where your Android device is: Practice finding your device, because you are far more likely to lose your device than install a Potentially Harmful Application (PHA).

This is all good advice, although it has been my experience that many Android devices are woefully out-of-date when it comes to operating system patches – not because of any failing by the user, but rather that an upgrade path has simply never been made available.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • "Keep your device" updated would be nice – if the manufacturer and ISP had any interest in making this possible… :(