Android Malware on Google Play Infected 2.3M Devices

A sophisticated Android malware campaign has infected millions of devices through the official Google Play Store. Dubbed NoVoice, this threat was distributed through over 50 seemingly legitimate applications, including cleaners, games, and image galleries, which collectively garnered at least 2.3 million downloads. These apps provided their advertised functionality and requested no unusual permissions, effectively hiding their malicious payload from unsuspecting users.

Once launched, the malware attempted to gain root access by exploiting a series of old Android vulnerabilities, some patched as far back as 2016. Researchers from McAfee, who discovered the operation, noted similarities between NoVoice and the notorious Triada Android trojan, though they could not attribute it to a specific threat actor. The attack chain began with malicious code concealed within a package masquerading as the legitimate Facebook SDK.

Using steganography, the threat actors hid an encrypted payload inside a PNG image file. This payload was extracted into system memory, with all intermediate files wiped to cover its tracks. The malware performed extensive validation, implementing 15 checks for emulators, debuggers, and VPNs. It also avoided infecting devices in specific geographic regions, including Beijing and Shenzhen in China. If location permissions were unavailable, the infection simply proceeded.

After initial checks, the malware contacted its command-and-control (C2) server, collecting detailed device information to determine its exploit strategy. It then polled the C2 every 60 seconds, downloading device-specific exploit components. McAfee documented 22 different exploits, including use-after-free kernel bugs and flaws in the Mali GPU driver. Successful exploitation provided a root shell and allowed the malware to disable SELinux enforcement, stripping the device of a core security layer.

Following a successful root, the malware replaced key system libraries with hooked wrappers to intercept system calls. It established deep persistence mechanisms, including installing recovery scripts and replacing the system crash handler with a rootkit loader. Crucially, fallback payloads were stored on the system partition, an area not wiped during a factory reset. A watchdog daemon ran every minute to verify the rootkit’s integrity, automatically reinstalling components or forcing a device reboot if anything was amiss.

In the post-exploitation phase, attacker-controlled code was injected into every launched application. Two primary modules were deployed: one for the silent installation or removal of apps, and another operating within any app with internet access to facilitate data theft. McAfee observed this module specifically targeting WhatsApp. When the messaging app was opened, the malware extracted critical session data, including encryption databases, Signal protocol keys, phone numbers, and Google Drive backup details. This information was exfiltrated, enabling attackers to clone the victim’s WhatsApp session on another device.

The researchers emphasized that while they only recovered a WhatsApp-focused payload, NoVoice’s modular design means it could easily be adapted to target any application on a compromised device. All identified malicious apps have been removed from Google Play after McAfee, a member of the App Defense Alliance, reported them.

Google has stated that devices updated with security patches from May 2021 or later are protected, as the vulnerabilities exploited were addressed years ago. Google Play Protect automatically blocks and removes these apps. However, users who installed them previously should consider their devices and data compromised. The primary defense against this specific threat is ensuring your device runs a recent security patch. For broader protection, users are advised to upgrade to actively supported device models and exercise caution, installing apps only from trusted publishers even within official app stores.