A newly discovered Android malware named NoVoice has been found hiding in more than 50 apps on Google Play, which were downloaded over 2.3 million times before being removed.
The infected apps included common tools like cleaners, photo galleries and mobile games. They appeared legitimate, worked as expected and did not request suspicious permissions, making them difficult for users to identify as harmful.
According to cybersecurity firm McAfee, the malware activates after the app is launched and attempts to gain root access by exploiting older Android vulnerabilities that were patched between 2016 and 2021.
Researchers said the attackers hid malicious code inside a package designed to look like part of Facebook’s software, blending it with legitimate components to avoid detection. The actual malware payload was concealed inside an image file using steganography, then extracted and executed in memory while deleting traces of its presence.
Once active, NoVoice connects to a remote command server to collect detailed information about the device, including system data, installed apps and security status. It then downloads specific exploits tailored to the device to gain full control.
McAfee identified at least 22 different exploits used in the attack. These allow hackers to bypass core Android protections, disable security features like SELinux and install a persistent rootkit that survives even a factory reset.
The malware also sets up multiple layers of persistence and includes a watchdog system that checks its integrity every minute, automatically reinstalling itself if removed.
One of the main goals of NoVoice is data theft, particularly targeting WhatsApp. When the messaging app is opened on an infected device, the malware extracts sensitive data such as encryption keys, account details and backup information. This data can then be used by attackers to clone the victim’s WhatsApp account.
Although researchers only confirmed WhatsApp-focused attacks, the malware’s flexible design means it could be adapted to target other apps as well.
Google has since removed the infected apps after being notified. However, users who previously installed them are advised to assume their devices may be compromised.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Security experts recommend updating Android devices to the latest available security patch and only downloading apps from trusted developers, even when using official platforms like Google Play.
