0

No products in the cart.

0

No products in the cart.

Home News NoVoice Malware Compromises 2.3 Million Android Devices Through Trusted Play Store Apps
News

NoVoice Malware Compromises 2.3 Million Android Devices Through Trusted Play Store Apps

April 9, 20262 Mins read7 Views

A newly discovered Android malware strain called NoVoice has infected over 2.3 million devices after being distributed through more than 50 apps on the Google Play Store. The infected apps—primarily cleaners, image galleries, and games—appeared legitimate, required no suspicious permissions, and delivered their advertised functionality, making the threat harder to detect.

Once installed, NoVoice attempts to gain root access by exploiting known Android vulnerabilities that were patched between 2016 and 2021. Devices that have not received security updates since then are particularly at risk.

Researchers at cybersecurity firm McAfee uncovered the campaign but could not attribute it to a specific threat actor. However, they noted similarities with the well-known Triada trojan.

How the Malware Works

The malware hides its malicious components within a package disguised as legitimate Facebook SDK code. It uses steganography to conceal an encrypted payload inside a PNG image file. This payload is extracted and executed directly in memory, while intermediate files are deleted to avoid detection.

NoVoice performs multiple checks to evade analysis, including detecting emulators, VPNs, and debugging environments. It also avoids infecting devices in certain regions, such as Beijing and Shenzhen.

After passing these checks, the malware contacts a command-and-control (C2) server, sending detailed device information such as hardware specs, Android version, installed apps, and root status. Based on this data, it downloads tailored exploits to gain full control of the device.

Advanced Exploitation and Persistence

Researchers observed 22 different exploits, including kernel vulnerabilities and GPU driver flaws. Once successful, the malware:

  • Gains a root shell
  • Disables core security protections like SELinux
  • Replaces critical system libraries with malicious versions

It then establishes deep persistence by:

  • Installing recovery scripts
  • Replacing system crash handlers with malicious loaders
  • Storing backup payloads in system partitions

Because these partitions are not wiped during a factory reset, the malware can survive even aggressive cleaning attempts.

A watchdog component continuously monitors the infection and reinstalls missing parts if necessary. If tampering is detected, it forces the device to reboot to restore the malware.

Data Theft Capabilities

After compromising the device, NoVoice injects malicious code into all running apps. One of its primary targets is WhatsApp.

When WhatsApp is launched, the malware extracts sensitive data including:

  • Encryption databases
  • Signal protocol keys
  • Phone number and account identifiers
  • Google Drive backup details

This information is sent to the attackers, enabling them to clone the victim’s WhatsApp session on another device.

Although WhatsApp was the primary observed target, the malware’s modular design means it could potentially target other apps as well.

Response and Mitigation

Following disclosure, Google removed the malicious apps from the Play Store. Devices with security updates newer than May 2021 are not vulnerable to the exploits used by NoVoice.

Google Play Protect also helps by removing known malicious apps and blocking future installations.

However, users who installed affected apps should assume their devices may be compromised. Recommended actions include:

  • Updating to a device with current security patches
  • Avoiding outdated Android versions
  • Installing apps only from trusted developers

Key Takeaway

NoVoice highlights a critical issue: even official app stores can host dangerous apps, especially when devices run outdated software. Keeping devices updated remains one of the most effective defenses against such threats.

Previous post Pro-Iranian Hackers Breach FBI Director Kash Patel’s Personal Email, Leak Private Documents

1 Comment

  • This is a serious reminder that even trusted platforms like the Play Store aren’t foolproof. Users running outdated Android versions are especially at risk, so keeping devices updated is critical. The level of persistence and WhatsApp data theft in this campaign is particularly alarming.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

News

Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks

April 10, 2026
News

APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network

April 10, 2026
Crypto

Silent Cryptojacking Campaign Disguised as Non-Profit Software Drains Victims’ PCs

April 10, 2026
News

Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks

April 9, 2026

Related Articles

News

Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks

A recent security analysis highlights a widespread problem in enterprise environments: many...

ByApril 10, 2026
News

APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network

A Russia-linked cyber espionage group, widely tracked as APT28, has been connected...

ByApril 10, 2026
News

Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks

Iran-Linked Hackers Target U.S. Critical Infrastructure via Internet-Exposed PLCs Iran-affiliated cyber actors...

ByApril 9, 2026
News

Cybercrime, FBI IC3, Investment Fraud, Ransomware, Cryptocurrency Scams

FBI Reports Cybercrime Losses Nearly $21 Billion in 2025 The FBI’s Internet...

ByApril 9, 2026