The NoVoice malware was found in 50 Android apps on Google Play with 2.3 million downloads, managing to evade detection and target out-of-date devices.
Hackers haven’t bypassed Google Play’s defenses. They walked right in through the front door.
Downloaded more than 2.3 million times, potentially exposing millions of devices, the NoVoice malware is found in apps installed directly from the Google Play Store, an unusual scenario in which it has extracted sensitive data from infected devices, TechRepublic writes.
First identified by McAfee researchers, the affected apps were later reported and removed by Google. While no perpetrators of the attack have been officially named, the malware’s behavior suggests a pattern familiar to known groups, prompting new warnings for Android users to remain vigilant.
A silent and unusual malware
While many malware targeting Android users come from apps installed from external sources or are introduced after downloading the app, this malware directly compromised the Google Play Store.
By developing and publishing seemingly harmless games, cleaning apps, and photo galleries on the Google Play Store, attackers were able to hide malicious behavior during Google’s code review until after the user installed the app. By having the apps actually deliver the promised functionality, the malware avoided early detection.
Once the infected application is launched, the malware “asleep” activates and first tries to exploit old Android vulnerabilities patched between 2016 and 2021, according to BleepingComputer.
If it manages to gain root access through these vulnerabilities, the malware evades defense systems by hiding the malicious components in packages that appear legitimate. It then extracts encrypted code hidden in seemingly harmless files and loads it into memory for execution.
According to the researchers, as soon as it is loaded into memory, it collects device-specific identifiers such as hardware details, kernel and Android version, installed apps and root status. With this data, it contacts a command and control server (C2) and repeats the process every 60 seconds, receiving additional instructions tailored to the device.
At this stage, the malware aims to gain complete control over the system by rooting the device. McAfee researchers identified 22 different exploits, including kernel and GPU driver vulnerabilities.
After compromising the device, the malware replaces essential Android packages with modified versions to control system execution.
Dangerous End Phase Abilities
To achieve its ultimate goal, the malware can automatically install and delete apps, reboot the device to reactivate its components, and even steal data from secure apps like WhatsApp or banking apps.
According to researchers cited by BleepingComputer, the malware can extract WhatsApp’s internal data and use it to clone the session on the attacker’s device.
How the attack can be detected and prevented
After McAfee reported the incident, Google immediately removed the malicious apps. A company spokesperson confirmed that Android devices updated after May 2021 are protected because the exploited vulnerabilities have already been patched.
The lists of the 50 infected apps have not been published, but for safety it is recommended that users constantly update their devices and install apps only from trusted developers.
Depending on the malware’s modus operandi, affected users may experience excessive battery drain, unexpected reboots, and mysterious app disappearance or reinstallation.
