NoVoice Android Malware Infects 2.3 Million Devices via Google Play Apps

Severity: High (Score: 72.5)

Sources: Cybersecuritynews, Scworld, Bleepingcomputer, Gbhackers

Summary

The NoVoice Android malware has been discovered on Google Play, hidden in over 50 apps that have been downloaded more than 2.3 million times. This malware, identified by McAfee, exploits 22 vulnerabilities in older Android versions to gain root access and compromise devices. The infected apps, which include cleaners and games, required minimal permissions and functioned normally to avoid detection. Once activated, NoVoice attempts to gain root access by exploiting vulnerabilities patched between 2016 and 2021. It employs steganography to conceal malicious payloads within PNG files and uses various checks to avoid detection by emulators and VPNs. After compromising a device, the malware can inject code into all launched applications, primarily targeting WhatsApp to exfiltrate session data. The malware's persistence mechanisms allow it to survive factory resets, posing a significant risk to users. Google has removed the malicious apps, but users who downloaded them are advised to consider their devices compromised. Key Points: • NoVoice malware has infected over 2.3 million Android devices via Google Play. • The malware exploits 22 vulnerabilities to gain root access and clone WhatsApp sessions. • Users are advised to update their devices and only download apps from trusted sources.

Key Entities

• Data Breach (attack_type)
• Malware (attack_type)
• NoVoice Operation (campaign)
• Operation NoVoice (campaign)
• China (country)
• NoVoice (malware)
• Triada (malware)
• T1027 - Obfuscated Files Or Information (mitre_attack)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• T1547 - Boot Or Logon Autostart Execution (mitre_attack)
• Android (platform)
• Google Play (platform)