"NoVoice" Android Malware on Google Play Infected 2.3 Million Devices

A new Android threat has surfaced under the name NoVoice, embedded inside a batch of apps that circulated on Google Play. In total, the operation affected more than 50 applications and amassed about 2.3 million downloads before the apps were removed from the store. The catalog of infected programs spanned everyday utilities such as cleaners, image galleries, and various games. What made NoVoice notable was its ability to masquerade as legitimate software, delivering its payload without asking for suspicious permissions and delivering on the promised functionality that users expect from those kinds of apps.

The infection chain begins when an affected app is launched. NoVoice attempts to obtain root access by exploiting a set of older Android vulnerabilities that were actively patched between 2016 and 2021. This choice of targets places the operation in a historical window of unaddressed flaws, which allowed the malware to escalate privileges on devices that had not applied more recent defenses. Researchers from McAfee identified the operation and linked it to a toolkit that bears resemblance to prior Android trojans such as Triada, though they stopped short of attributing the campaign to a specific threat actor.

From a packaging perspective, the NoVoice components were hidden inside the com.facebook.utils package, blending with legitimate Facebook SDK classes to evade casual scrutiny. A particularly clever aspect of the attack lies in its use of steganography: an encrypted payload (enc.apk) was concealed inside a PNG image. Once the image is processed, the hidden payload is extracted (h.apk) and loaded into system memory. To reduce the footprint and avoid leaving obvious traces, intermediate files are wiped during this extraction phase.

The campaign also employed region-based targeting. McAfee notes that the threat actor avoided infection in certain Chinese cities, including Beijing and Shenzhen, and implemented a battery of checks—15 in total—for emulators, debuggers, and VPNs. If location permissions are not accessible, the infection continues along an alternate path, allowing the operation to remain active on the device regardless of some anti-instrumentation efforts.

After establishing a foothold, the malware reaches out to a command-and-control (C2) server to harvest device information. It collects hardware details, kernel version, Android version and patch level, installed apps, and whether the device is rooted. This data-driven step is used to decide which exploit chain to deploy next. The malware then polls the C2 about once every minute, downloading additional components tailored to the specific device to facilitate root access.

McAfee provides a capsule view of the infection through a map that traces the delivery stage to the injection phase, highlighting how the operation develops from initial access to deeper system compromise. The team cataloged as many as 22 distinct exploits, including several that leverage use-after-free kernel bugs and flaws in Mali GPU drivers. Successfully exploiting these vectors yields a root shell and, in some cases, the ability to disable SELinux, effectively erasing many of the platform’s core security safeguards.

With root access secured, NoVoice proceeds to replace critical system libraries with hooked wrappers. Libs such as libandroidruntime.so and libmediajni.so are swapped to intercept system calls and route execution to the attacker’s code. The rootkit then hardens its persistence by installing recovery scripts, replacing the system crash handler with a rootkit loader, and placing fallback payloads on the system partition. This arrangement means that a standard factory reset won’t necessarily purge the intruder’s components, because parts of the malware survive storage-level cleanup.

A watchdog mechanism runs on a 60-second cycle to verify the rootkit’s integrity and automatically reinstall missing components. When integrity checks fail, the watchdog can trigger a reboot, ensuring the rootkit reloads in a near-permanent fashion on the device.

During the post-exploitation phase, attacker-controlled code is injected into every app that the device launches. Two main payloads operate at this stage: one enables silent installation or removal of apps, and another runs inside any app that has internet access. The latter is the principal data theft mechanism and McAfee observed that it prominently targeted WhatsApp, given the app’s ubiquity and tendency to be a repository of personal and communications data.

When WhatsApp is active on an infected device, the malware siphons off sensitive data needed to replicate the victim’s session. It can exfiltrate encryption databases, the Signal protocol keys, and account identifiers such as phone numbers and Google Drive backup metadata. This trove is then transmitted to the C2, enabling attackers to clone the victim’s WhatsApp session on another device. The evidence recovered by researchers included a specific payload focused on WhatsApp databases, underscoring the attackers’ intent to pivot and leverage widely used messaging accounts for further access or monetization.

While the observed payload during the investigation concentrated on WhatsApp, the modular design of NoVoice means other payloads could theoretically be deployed to target additional apps and services on the same device. Once the operator sees value in a particular target, the architecture supports extending to other high-value data sources or messaging platforms.

Google Play subsequently removed the infected applications after McAfee, a member of the App Defense Alliance, reported the activity to Google. The incident serves as a reminder of the evolving sophistication of Android malware and the ways in which threat actors can disguise malicious components within legitimate-sounding software. Some devices may still be affected if users have retained one of the infected apps or if the device is running an older patch level that makes it easier for attackers to maneuver within the system.

In this particular campaign, the vulnerabilities exploited by NoVoice were patched in earlier years, with the most relevant patches dating up to May 2021. As such, devices that have since received security updates show improved resilience against these specific attack vectors. The takeaway from this operation is not limited to a single vulnerability or a single app family; it illustrates how modular rootkit frameworks can be deployed through commonly used app types and how attackers can leverage hidden payloads to carry out persistent, device-wide compromises. The NoVoice incident underscores the importance of keeping devices on actively supported software versions and of maintaining a cautious approach to app installation, even from official stores, especially when apps promise routine or benign functionality.