A malicious Android strain called NoVoice has infected approximately 2.3 million devices through over 50 apps on the Google Play Store, including cleaners, image galleries, and games that delivered promised functionality without requesting suspicious permissions. The malware exploited old Android vulnerabilities patched between 2016 and 2021 to gain root access, using steganography to hide encrypted payloads within PNG image files. McAfee researchers discovered the operation but could not attribute it to a specific threat actor, though they noted similarities to the Triada Android trojan.
The infection chain involved contacting a command-and-control server every 60 seconds to download device-specific exploits, including use-after-free kernel bugs and Mali GPU driver flaws. After successful rooting, key system libraries were replaced with hooked wrappers that intercepted system calls, while multiple persistence layers were established including recovery scripts and fallback payloads stored on the system partition. A watchdog daemon ensured rootkit integrity every 60 seconds, automatically reinstalling missing components or forcing device reboots.
The malware primarily targeted WhatsApp, extracting encryption databases, Signal protocol keys, and account identifiers to clone victims' sessions on attacker-controlled devices. Devices updated since May 2021 are protected against these exploits, and Google Play Protect automatically removes the malicious apps. However, users who installed the apps on older devices should consider their data compromised. McAfee recommends upgrading to actively supported devices and installing only trusted apps despite Google Play's protections.
Read more...