NoVoice Android Malware Hits 2.3 Million Devices via Google Play Apps

Severity: High (Score: 69.8)

Sources: Bleepingcomputer, Gbhackers

Summary

A new Android malware named NoVoice has been discovered on Google Play, infecting over 2.3 million devices through more than 50 legitimate-looking apps, including cleaners and games. The malware exploits 22 vulnerabilities, including old Android flaws patched between 2016 and 2021, to gain root access. Once installed, NoVoice employs sophisticated techniques such as steganography to hide its payload and uses a command-and-control server to gather device information. The malware avoids infecting devices in specific regions, like Beijing and Shenzhen, and includes multiple checks to evade detection by emulators and debuggers. After rooting the device, it installs a rootkit that maintains persistence even after factory resets. The malware can also clone WhatsApp sessions, posing significant privacy risks. McAfee researchers identified the operation but could not attribute it to a specific threat actor. The situation remains critical as users are urged to check their devices for affected apps. Key Points: • NoVoice malware infected over 2.3 million Android devices via 50+ apps on Google Play. • The malware exploits 22 vulnerabilities, including old Android flaws, to gain root access. • NoVoice employs advanced techniques like steganography and rootkits for persistence.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• NoVoice Operation (campaign)
• China (country)
• NoVoice (malware)
• Triada (malware)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1547 - Boot Or Logon Autostart Execution (mitre_attack)
• Android (platform)
• Google Play (platform)