Google Play Protect Archives

AppWizard

April 25, 2026

NoVoice malware hit 2.3 million Android devices through apps Google never should have approved

McAfee researchers discovered a complex Android rootkit campaign, dubbed Operation NoVoice, that infiltrated 50 applications on Google Play, exploiting vulnerabilities in the kernel that had been patched but not uninstalled. The malware was resilient enough to survive factory resets and was concealed within seemingly benign apps, which collectively garnered 2.3 million downloads. The malicious payload was hidden in the com.facebook.utils package and used steganography to embed an encrypted payload within a PNG image. The malware conducted multiple checks to avoid detection and established contact with a command-and-control server, polling for exploit packages every 60 seconds. It utilized 22 distinct exploits, including vulnerabilities that had received patches between 2016 and 2021. The malware disabled SELinux enforcement and installed a persistent rootkit that could survive factory resets. Google confirmed the removal of the infected apps but noted that users who had already downloaded them remained at risk, especially if their devices were running unpatched Android versions. McAfee advised affected users to treat their devices as compromised and consider professional inspection or hardware-level storage wiping for remediation.

Tech Optimizer

April 22, 2026

Best Android Antivirus Apps for 2026 With Powerful Malware Defense, Anti‑Theft Features, and Privacy Protection

In 2026, Android users face increasing threats from sophisticated malware, theft tactics, and tracking, making antivirus apps essential for daily security. Android remains a prime target for cybercriminals, with built-in protections insufficient against risks from dubious apps, malicious websites, and unsecured Wi-Fi networks. Antivirus apps enhance security through real-time malware scanning, safer browsing, and device management features. Norton 360 for Android offers strong malware detection and privacy tools, including real-time scans and web protection. Bitdefender Mobile Security provides high malware detection rates with minimal device performance impact, featuring cloud-based scanning and a built-in VPN. Avast Mobile Security is a popular free option with anti-theft capabilities, while Avira Security focuses on privacy protection with a lightweight design. McAfee Mobile Security supports multi-device security and includes identity-monitoring features. Kaspersky and other antivirus options emphasize malware detection, web protection, and anti-theft tools. Choosing the right antivirus app depends on individual priorities, such as malware protection, anti-theft controls, or privacy features. Users should consider factors like price, device count, and performance when selecting an app.

AppWizard

April 21, 2026

Trojanized Android App Fuels New Wave of NFC Fraud

A new variant of the NGate malware family has emerged, using a trojanized Android application to capture payment card data and personal identification numbers (PINs). This modified version of HandyPay, a legitimate NFC relay app, has been distributed since November 2025, primarily targeting users in Brazil. The malware intercepts NFC payment card data and allows fraudulent transactions. Two distinct malware samples have been observed, delivered through phishing infrastructure that impersonates a Brazilian lottery site and a Google Play listing for a card protection tool. The trojanized app captures NFC data, requests the victim's card PIN, and transmits this information to attacker-controlled infrastructure. It requires minimal permissions, leveraging its role as the default payment application to evade detection. Evidence suggests that generative AI tools may have been used in its development, indicated by emoji markers in debug logs. ESET has reported its findings to Google, and Google Play Protect can detect known versions of the malware. The developer of HandyPay is investigating the misuse of its application.

AppWizard

April 21, 2026

New NGate Android malware variant uses NFC app to steal card data

A new variant of the NGate Android malware exploits a legitimate NFC payment app, HandyPay, to steal users' card information and PINs, enabling unauthorized contactless transactions. This malicious version of HandyPay, which has been available since 2021, was identified by ESET researchers and is distributed through a fraudulent lottery website and a fake Google Play page. The malware captures sensitive information by prompting users to enter their payment card PIN and tap their card against the device, sending the data to an attacker-controlled phone and exfiltrating the PIN to a command-and-control server. The campaign employs social engineering tactics and requires minimal permissions, relying on users to enable app installations from unknown sources. The attackers use a centralized infrastructure for malware distribution and PIN collection, with evidence of compromised devices in Brazil. The shift to modifying a legitimate application is motivated by financial incentives, as it offers similar functionality at a lower cost compared to underground tools. Users are advised to avoid installing apps from unofficial sources and to ensure the legitimacy of applications before entering sensitive information.

AppWizard

April 6, 2026

Dangerous “NoVoice” malware found in over 50 Play Store apps that were installed 2.3 million times

A new malware threat called "NoVoice" has been found in over 50 applications on the Google Play Store, with 2.3 million installations on Android devices. Discovered by McAfee, this malware is hidden in seemingly harmless apps like system cleaners, games, and image galleries. It exploits Android vulnerabilities to gain root access, potentially allowing attackers to steal sensitive information and manipulate applications without user consent. In some cases, it may persist even after a factory reset. Google has stated that Android devices updated since May 2021 are protected against this threat and that Google Play Protect actively removes malicious apps and blocks new installations. The malware was not able to infect devices in Beijing and Shenzhen, suggesting the attackers may be avoiding local law enforcement. One identified app carrying the NoVoice payload is SwiftClean, developed by Biodun Popoola. The malware operates using a silent audio file, executing its code without user detection. Users are advised to download apps only from the Google Play Store and keep their devices updated.

AppWizard

April 3, 2026

2.3 Million Users Affected by New Android Malware Hid in 50 Google Play Apps

Google has imposed strict restrictions on sideloading applications on Android devices due to concerns about risks from external sources. A new malware named NoVoice has been discovered on Google Play, embedded in over 50 applications with at least 2.3 million downloads, potentially compromising that many devices. The malware seeks root access by exploiting vulnerabilities in older Android versions and can steal sensitive data and install/remove apps without consent. It is difficult to remove, as it installs recovery scripts that survive factory resets. However, Google has stated that devices updated since May 2021 are protected against this threat, and Google Play Protect removes these apps and blocks new installs. Users with devices updated after May 2021 are considered safe, while those with infected apps should consider their devices compromised.

AppWizard

April 3, 2026

Google Responds As 50 Apps With 2 Million Downloads Hit By Malware

Researchers at McAfee Labs discovered that 50 Android applications on the Google Play Store contain malware known as NoVoice, which can grant full remote access to infected smartphones. These apps have over 2.3 million downloads. The malware can communicate with remote servers, profile devices, and download tailored root exploits, potentially compromising specific hardware and software configurations. However, devices with an Android security patch level of May 2021 or later are not vulnerable to these exploits, as the vulnerabilities were patched by Android between 2016 and 2021. Google Play Protect removes these apps and blocks new installs, and users are advised to keep their devices updated with the latest security patches.

AppWizard

March 16, 2026

Advanced Protection Mode in Android 17 prevents apps from misusing Accessibility Services

Android 17 has introduced Advanced Protection Mode (AAPM) to enhance user security by preventing non-accessibility applications from using the Accessibility API, which has been exploited by malware. AAPM allows only verified accessibility tools to utilize the API and implements stricter security settings, including blocking installations from unknown sources, limiting USB data access, and mandating Google Play Protect scans. Applications must declare themselves as accessibility tools with the attribute isAccessibilityTool="true" to use the Accessibility Services API. Additionally, Android 17 features a new contacts picker that allows applications to request access to specific contact fields instead of the entire address book, enhancing user privacy.

AppWizard

March 16, 2026

Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse

Google is piloting a security enhancement in its Android Advanced Protection Mode (AAPM) that restricts certain applications from using the accessibility services API. This update is part of Android 17 Beta 2. AAPM, introduced in Android 16, enhances device security by blocking app installations from unknown sources, restricting USB data signaling, and mandating Google Play Protect scanning. Developers can integrate with AAPM through the AdvancedProtectionManager API to adapt their apps based on the security mode's status. The new restriction prevents non-accessibility apps from accessing the accessibility services API, allowing only verified accessibility tools like screen readers and voice-based input tools. Non-accessibility apps, including antivirus software and password managers, will have their access revoked when AAPM is activated, and users cannot grant permissions to these apps unless AAPM is disabled. Additionally, Android 17 introduces a new contacts picker feature that allows developers to specify which fields to access from a user's contact list, providing more granular control over data access.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.