A new Android malware, dubbed NoVoice, has been discovered lurking within over 50 applications on Google Play, amassing more than 2.3 million downloads. The affected apps, which range from cleaners and image galleries to games, appeared benign, requiring no suspicious permissions while delivering their promised functionalities.
Upon launching an infected application, NoVoice attempts to gain root access by exploiting vulnerabilities in older Android versions, specifically those patched between 2016 and 2021. Researchers from cybersecurity firm McAfee uncovered the NoVoice operation, although they were unable to associate it with a specific threat actor. Notably, the malware exhibits similarities to the notorious Triada Android trojan.
Source: McAfee
NoVoice infection chain
According to McAfee’s findings, the threat actor cleverly concealed malicious components within the com.facebook.utils package, blending them with legitimate Facebook SDK classes. The malware employs steganography to hide an encrypted payload (enc.apk) within a PNG image file, which is then extracted as h.apk and loaded into system memory, erasing all intermediate files to cover its tracks.
Interestingly, the malware avoids infecting devices in certain regions, such as Beijing and Shenzhen, and has implemented 15 checks to detect emulators, debuggers, and VPNs. If location permissions are not granted, the infection chain continues unabated.
Source: McAfee
Once activated, the malware reaches out to its command-and-control (C2) server, gathering critical device information, including hardware details, kernel version, Android version and patch level, installed applications, and root status. This data helps the malware determine its exploit strategy.
Subsequently, the malware polls the C2 server every 60 seconds, downloading various components tailored for device-specific exploits aimed at rooting the victim’s system. McAfee identified 22 exploits, including vulnerabilities in kernel bugs and Mali GPU drivers, which grant operators a root shell and disable SELinux enforcement, thereby undermining the device’s core security protections.
After successfully rooting the device, the malware replaces key system libraries, such as libandroidruntime.so and libmediajni.so, with modified wrappers that intercept system calls and redirect execution to malicious code. The rootkit establishes multiple layers of persistence, including installing recovery scripts and replacing the system crash handler with a rootkit loader. This ensures that even a factory reset does not eliminate the malware, as it resides in a part of the device’s storage that remains untouched during such resets.
A watchdog daemon operates every 60 seconds to verify the rootkit’s integrity, automatically reinstalling any missing components. If any checks fail, the device is forced to reboot, reloading the rootkit.
WhatsApp data theft
In the post-exploitation phase, the malware injects attacker-controlled code into every application launched on the device. Two primary components are deployed: one facilitates silent installation or removal of apps, while the other operates within any app that has internet access. This latter component serves as the main mechanism for data theft, with McAfee noting a particular focus on the WhatsApp messaging app.
When WhatsApp is opened on an infected device, the malware extracts sensitive data necessary to replicate the victim’s session, including encryption databases, Signal protocol keys, and account identifiers such as phone numbers and Google Drive backup details. This information is subsequently exfiltrated to the C2 server, enabling attackers to clone the victim’s WhatsApp session on their own devices.
Source: McAfee
While McAfee recovered a payload specifically targeting WhatsApp, the modular design of NoVoice suggests that it could potentially deploy other payloads aimed at various applications on the device. Following the discovery, the malicious apps containing the NoVoice payloads have been removed from Google Play after McAfee reported them to Google.
However, users who previously installed these applications should consider their devices and data compromised. Since NoVoice exploits vulnerabilities patched as recently as May 2021, upgrading to a device with a later security patch is a prudent measure to mitigate this threat. Android users are advised to upgrade to actively supported models and to install applications only from trusted, reputable publishers, even within the Google Play ecosystem.
