NoVoice Malware Compromises 2.3 Million Android Devices Through Trusted Play Store Apps
scsecApril 9, 20262 Mins read 
A newly discovered Android malware strain called NoVoice has infected over 2.3 million devices after being distributed through more than 50 apps on the Google Play Store. The infected apps—primarily cleaners, image galleries, and games—appeared legitimate, required no suspicious permissions, and delivered their advertised functionality, making the threat harder to detect.
Once installed, NoVoice attempts to gain root access by exploiting known Android vulnerabilities that were patched between 2016 and 2021. Devices that have not received security updates since then are particularly at risk.
Researchers at cybersecurity firm McAfee uncovered the campaign but could not attribute it to a specific threat actor. However, they noted similarities with the well-known Triada trojan.
How the Malware Works
The malware hides its malicious components within a package disguised as legitimate Facebook SDK code. It uses steganography to conceal an encrypted payload inside a PNG image file. This payload is extracted and executed directly in memory, while intermediate files are deleted to avoid detection.
NoVoice performs multiple checks to evade analysis, including detecting emulators, VPNs, and debugging environments. It also avoids infecting devices in certain regions, such as Beijing and Shenzhen.
After passing these checks, the malware contacts a command-and-control (C2) server, sending detailed device information such as hardware specs, Android version, installed apps, and root status. Based on this data, it downloads tailored exploits to gain full control of the device.
Advanced Exploitation and Persistence
Researchers observed 22 different exploits, including kernel vulnerabilities and GPU driver flaws. Once successful, the malware:
- Gains a root shell
- Disables core security protections like SELinux
- Replaces critical system libraries with malicious versions
It then establishes deep persistence by:
- Installing recovery scripts
- Replacing system crash handlers with malicious loaders
- Storing backup payloads in system partitions
Because these partitions are not wiped during a factory reset, the malware can survive even aggressive cleaning attempts.
A watchdog component continuously monitors the infection and reinstalls missing parts if necessary. If tampering is detected, it forces the device to reboot to restore the malware.
Data Theft Capabilities
After compromising the device, NoVoice injects malicious code into all running apps. One of its primary targets is WhatsApp.
When WhatsApp is launched, the malware extracts sensitive data including:
- Encryption databases
- Signal protocol keys
- Phone number and account identifiers
- Google Drive backup details
This information is sent to the attackers, enabling them to clone the victim’s WhatsApp session on another device.
Although WhatsApp was the primary observed target, the malware’s modular design means it could potentially target other apps as well.
Response and Mitigation
Following disclosure, Google removed the malicious apps from the Play Store. Devices with security updates newer than May 2021 are not vulnerable to the exploits used by NoVoice.
Google Play Protect also helps by removing known malicious apps and blocking future installations.
However, users who installed affected apps should assume their devices may be compromised. Recommended actions include:
- Updating to a device with current security patches
- Avoiding outdated Android versions
- Installing apps only from trusted developers
Key Takeaway
NoVoice highlights a critical issue: even official app stores can host dangerous apps, especially when devices run outdated software. Keeping devices updated remains one of the most effective defenses against such threats.
1 Comment
Leave a Reply
Related Articles
Outdated Systems and Vulnerable Apps Leave Most Enterprises Exposed to Cyberattacks
A recent security analysis highlights a widespread problem in enterprise environments: many...
APT28 Turns Vulnerable Routers into a Global DNS Hijacking and Espionage Network
A Russia-linked cyber espionage group, widely tracked as APT28, has been connected...
Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks
Iran-Linked Hackers Target U.S. Critical Infrastructure via Internet-Exposed PLCs Iran-affiliated cyber actors...
Cybercrime, FBI IC3, Investment Fraud, Ransomware, Cryptocurrency Scams
FBI Reports Cybercrime Losses Nearly $21 Billion in 2025 The FBI’s Internet...
This is a serious reminder that even trusted platforms like the Play Store aren’t foolproof. Users running outdated Android versions are especially at risk, so keeping devices updated is critical. The level of persistence and WhatsApp data theft in this campaign is particularly alarming.