Play Protect Archives

AppWizard

April 6, 2026

Dangerous “NoVoice” malware found in over 50 Play Store apps that were installed 2.3 million times

A new malware threat called "NoVoice" has been found in over 50 applications on the Google Play Store, with 2.3 million installations on Android devices. Discovered by McAfee, this malware is hidden in seemingly harmless apps like system cleaners, games, and image galleries. It exploits Android vulnerabilities to gain root access, potentially allowing attackers to steal sensitive information and manipulate applications without user consent. In some cases, it may persist even after a factory reset. Google has stated that Android devices updated since May 2021 are protected against this threat and that Google Play Protect actively removes malicious apps and blocks new installations. The malware was not able to infect devices in Beijing and Shenzhen, suggesting the attackers may be avoiding local law enforcement. One identified app carrying the NoVoice payload is SwiftClean, developed by Biodun Popoola. The malware operates using a silent audio file, executing its code without user detection. Users are advised to download apps only from the Google Play Store and keep their devices updated.

AppWizard

April 3, 2026

2.3 Million Users Affected by New Android Malware Hid in 50 Google Play Apps

Google has imposed strict restrictions on sideloading applications on Android devices due to concerns about risks from external sources. A new malware named NoVoice has been discovered on Google Play, embedded in over 50 applications with at least 2.3 million downloads, potentially compromising that many devices. The malware seeks root access by exploiting vulnerabilities in older Android versions and can steal sensitive data and install/remove apps without consent. It is difficult to remove, as it installs recovery scripts that survive factory resets. However, Google has stated that devices updated since May 2021 are protected against this threat, and Google Play Protect removes these apps and blocks new installs. Users with devices updated after May 2021 are considered safe, while those with infected apps should consider their devices compromised.

AppWizard

April 3, 2026

Google Responds As 50 Apps With 2 Million Downloads Hit By Malware

Researchers at McAfee Labs discovered that 50 Android applications on the Google Play Store contain malware known as NoVoice, which can grant full remote access to infected smartphones. These apps have over 2.3 million downloads. The malware can communicate with remote servers, profile devices, and download tailored root exploits, potentially compromising specific hardware and software configurations. However, devices with an Android security patch level of May 2021 or later are not vulnerable to these exploits, as the vulnerabilities were patched by Android between 2016 and 2021. Google Play Protect removes these apps and blocks new installs, and users are advised to keep their devices updated with the latest security patches.

AppWizard

March 20, 2026

Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams

Google has introduced a new "advanced flow" for Android sideloading, which includes a mandatory 24-hour waiting period for users installing applications from unverified developers. This follows a developer verification mandate requiring all Android applications to be registered by verified developers to help identify malicious actors and reduce malware distribution. The new sideloading protocol aims to mitigate risks from cybercriminals who may deceive users into disabling Play Protect, Google's anti-malware feature. Over 50 app developers and marketplaces, including F-Droid and Brave, have expressed concerns about the registration requirements, arguing they could create barriers and raise privacy issues. Google has outlined a one-time process for sideloading apps, which includes enabling developer mode, confirming voluntary sideloading, restarting the device, waiting 24 hours, and using biometric authentication or a PIN to install apps. Google plans to introduce free "limited distribution accounts" for hobbyist developers and students to share apps with up to 20 devices without needing government-issued IDs or registration fees. This process will not apply to installations via the Android Debug Bridge (ADB) and is set to be available in August 2026, ahead of new developer verification requirements. This announcement comes as a new Android malware, Perseus, targets users in Turkey and Italy, with at least 17 distinct Android malware families identified in the past four months.

AppWizard

March 16, 2026

Advanced Protection Mode in Android 17 prevents apps from misusing Accessibility Services

Android 17 has introduced Advanced Protection Mode (AAPM) to enhance user security by preventing non-accessibility applications from using the Accessibility API, which has been exploited by malware. AAPM allows only verified accessibility tools to utilize the API and implements stricter security settings, including blocking installations from unknown sources, limiting USB data access, and mandating Google Play Protect scans. Applications must declare themselves as accessibility tools with the attribute isAccessibilityTool="true" to use the Accessibility Services API. Additionally, Android 17 features a new contacts picker that allows applications to request access to specific contact fields instead of the entire address book, enhancing user privacy.

AppWizard

March 16, 2026

Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse

Google is piloting a security enhancement in its Android Advanced Protection Mode (AAPM) that restricts certain applications from using the accessibility services API. This update is part of Android 17 Beta 2. AAPM, introduced in Android 16, enhances device security by blocking app installations from unknown sources, restricting USB data signaling, and mandating Google Play Protect scanning. Developers can integrate with AAPM through the AdvancedProtectionManager API to adapt their apps based on the security mode's status. The new restriction prevents non-accessibility apps from accessing the accessibility services API, allowing only verified accessibility tools like screen readers and voice-based input tools. Non-accessibility apps, including antivirus software and password managers, will have their access revoked when AAPM is activated, and users cannot grant permissions to these apps unless AAPM is disabled. Additionally, Android 17 introduces a new contacts picker feature that allows developers to specify which fields to access from a user's contact list, providing more granular control over data access.

AppWizard

March 13, 2026

F-Droid says Google’s Android developer verification plan is an ‘existential’ threat to alternative app stores

Developers distributing apps outside of Google's Play Store will be required to register with Google in certain countries starting in September, with plans for global expansion by 2027. This policy aims to enhance security by removing anonymity from developers but comes with a registration fee and the need for government identification. F-Droid, an open-source app repository, has raised concerns that this policy could threaten its existence by mandating a single signature for all apps. F-Droid initiated a public campaign against these changes, garnering support from various organizations. Despite some interest from regulators, progress is slow, and there are fears that Google's verification program may be implemented before any regulatory action occurs. F-Droid encourages developers to avoid signing up for the early access program and has launched a petition to voice concerns.

AppWizard

March 11, 2026

New BeatBanker Android malware poses as Starlink app to hijack devices

A newly identified Android malware called BeatBanker disguises itself as a Starlink application on fake Google Play Store websites. It functions as a banking trojan and includes Monero mining capabilities, allowing it to steal credentials and manipulate cryptocurrency transactions. Researchers at Kaspersky traced BeatBanker to campaigns targeting users in Brazil. The latest version uses the BTMOB RAT for remote access, enabling keylogging, screen recording, camera access, GPS tracking, and credential capture. BeatBanker is distributed as an APK file that decrypts and loads hidden code into memory, conducting environment checks before activation. It presents a fake Play Store update screen to trick users into granting permissions for additional payloads. To avoid detection, it delays malicious operations and plays a nearly inaudible MP3 file to maintain persistent activity. The malware uses a modified version of the XMRig miner to mine Monero on Android devices, connecting to mining pools through encrypted TLS connections. It can start or stop mining based on device conditions and uses Firebase Cloud Messaging to relay device information to its command-and-control server. Currently, BeatBanker infections have only been observed in Brazil, but there are concerns about its potential spread. Users are advised to avoid side-loading APKs from untrusted sources and to review app permissions regularly.

AppWizard

March 4, 2026

Google Announces Registered App Stores For Android

Google is launching a Registered App Stores program for Android, allowing third-party app stores to officially register if they meet specific quality and safety criteria. This program aims to provide a better installation experience for users and will be rolled out in a major Android release later this year, initially targeting markets outside the US. Registration is optional, and stores can continue using the existing sideloading process. Alongside this, Google is unbundling its fee structure, reducing service fees for developers to between 15% and 20%, with an additional 5% fee for using Google Play billing in certain regions. The rollout of the new billing structure is expected by the end of June in the US, UK, and Europe, with global completion by September 30, 2027. The initiative is part of a broader settlement with Epic Games and reflects ongoing legal pressures for greater competition in app distribution.

Tech Optimizer

February 22, 2026

Researchers Discover First Android Malware Using Generative AI for Persistence

Security researchers have identified a new Android Trojan named PromptSpy that uses generative AI technology to enhance its persistence on compromised devices. Discovered by ESET researchers, PromptSpy leverages Google's Gemini AI model to analyze infected device screens and generate tailored instructions for embedding itself within recent apps lists. It includes a Virtual Network Computing (VNC) module that allows attackers full remote control over the device, enabling activities such as viewing the screen, performing actions remotely, capturing lock screen data, blocking uninstallation attempts, gathering device information, taking screenshots, and recording screen activity as video. The malware communicates with command-and-control servers using AES encryption and exploits Android Accessibility Services, making it difficult to remove. PromptSpy is distributed through a dedicated website and is financially motivated, adapting to various Android interfaces and operating system versions. ESET's analysis indicates that the malware is regionally targeted, with a focus on Argentina, and may have been developed in a Chinese-speaking environment. The same threat actor is believed to be responsible for both VNCSpy and PromptSpy.