Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

NoVoice Android Malware: A Global Threat to Mobile Security



A new Android malware known as NoVoice has infected over 2.3 million devices worldwide, compromising their personal data and putting their mobile security at risk. The malware was discovered on Google Play and had been hidden in more than 50 apps that were downloaded millions of times.

  • Over 2.3 million Android devices worldwide have been infected with NoVoice malware, compromising user data.
  • NoVoice was hidden in over 50 apps downloaded millions of times on Google Play, including cleaners, image galleries, and games.
  • The malware evades detection by traditional security software due to its cleverly designed payload.
  • The threat actor uses old Android vulnerabilities (2016-2021) to gain root access and disable security protections.
  • The malware steals sensitive data from WhatsApp users, including encryption databases and Signal protocol keys.
  • Users who installed infected apps previously should consider their devices and data compromised.
  • Upgrading to a device with later security patches can mitigate this threat.



    • Android users have been warned by security experts about a new type of malware that has infected over 2.3 million devices worldwide, compromising their personal data and putting their mobile security at risk.

    The malware, known as NoVoice, was discovered on Google Play and had been hidden in more than 50 apps that were downloaded millions of times. These apps included cleaners, image galleries, and games, which appeared to be legitimate but carried a malicious payload. The malware required no suspicious permissions and provided the promised functionality, making it difficult for users to detect its presence.

    According to researchers at McAfee, the threat actor who created NoVoice concealed malicious components in the com.facebook.utils package, mixing them with the legitimate Facebook SDK classes. This allowed the malware to evade detection by traditional security software. The malware then contacts a command-and-control (C2) server and collects device information such as hardware details, kernel version, Android version, installed apps, and root status, to determine the exploit strategy.

    The researchers created a map of the infection chain from the delivery stage to the injection phase, which revealed that the malware uses old Android vulnerabilities that received patches between 2016 and 2021. These exploits give the operators a root shell and allow them to disable SELinux enforcement on the device, effectively dropping its fundamental security protections.

    The rootkit establishes multiple layers of persistence, including installing recovery scripts, replacing the system crash handler with a rootkit loader, and storing fallback payloads on the system partition. The malware also deploys a watchdog daemon every 60 seconds to check the rootkit's integrity and automatically reinstalls missing components. If checks fail, it forces the device to reboot, causing the rootkit to reload.

    During the post-exploitation phase, attacker-controlled code is injected into every app launched on the device. Two main components are deployed: one that enables silent installation or removal of apps, and another that operates within any app with internet access. The latter serves as a primary data theft mechanism, and McAfee observed that it primarily targeted the WhatsApp messaging app.

    When WhatsApp is launched on an infected device, the malware extracts sensitive data required to replicate the victim’s session, including encryption databases, the Signal protocol keys, and account identifiers such as phone number and Google Drive backup details. This information is then exfiltrated to the C2, allowing the attackers to clone the victim's WhatsApp session on their own device.

    The researchers noted that although they recovered only a WhatsApp-focused payload, NoVoice’s modular design makes it technically possible to have used other payloads targeting any application on the device. The malicious Android applications carrying NoVoice payloads have been removed from Google Play after McAfee reported them to Google.

    However, users who have installed these apps previously should consider their devices and data compromised. As NoVoice targets flaws fixed up to May 2021, upgrading to a device running a later security patch effectively mitigates this threat in its current form. It is recommended that Android users upgrade to actively supported models and only install apps from trusted, well-known publishers, even on Google Play.

    The discovery of NoVoice highlights the ongoing threat landscape for mobile security and the need for users to be vigilant when installing apps from unknown sources. As cybersecurity experts continue to monitor the threat landscape, it is essential to stay informed about the latest malware threats and take proactive measures to protect personal data.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/NoVoice-Android-Malware-A-Global-Threat-to-Mobile-Security-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/novoice-android-malware-on-google-play-infected-23-million-devices/

  • https://www.tomsguide.com/computing/malware-adware/google-just-took-down-224-malicious-apps-with-38-million-installs-from-the-play-store-how-to-stay-safe

  • https://www.androidpolice.com/malware-infects-android-devices-through-two-google-play-apps/

  • https://www.mcafee.com/blogs/internet-security/operation-novoice-android-malware-mcafee-research/


    • Published: Wed Apr 1 13:28:55 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us