“NoVoice” malware found on Google Play infected 2.3 million devices

A new Android malware strain named “NoVoice” has been discovered on Google Play. According to available information, the malware was concealed in more than 50 applications, which were downloaded at least 2.3 million times in total.

It was reported that the affected applications included cleaners, image galleries and games. As these apps required no suspicious permissions and provided the promised functionality, it was difficult for users to identify them as malicious.

According to the investigation, once an infected application is launched, the malware attempts to obtain root access on the device. To achieve this, it exploits older Android vulnerabilities that were patched between 2016 and 2021. It is noted that the malicious components were hidden among legitimate program modules, while the primary payload was concealed inside an image file using steganography.

At the next stage, the malware contacts a command-and-control (C2) server, collects various technical details about the device and determines the most appropriate exploitation strategy. It was reported that the attackers used multiple kernel and driver vulnerabilities to obtain a root shell on the device, after which they weakened core security protections and established persistence on the system. As a result, the malware may remain on the device even after it has been restored to default settings.

According to the available information, during the post-exploitation phase, attacker-controlled code is injected into applications launched on the device. In particular, when WhatsApp is opened on an infected device, the malware extracts the sensitive data required to replicate the victim’s session, including encryption databases, keys, the phone number and backup-related information and exfiltrates this data to the C2 server. This may allow the attackers to clone the victim’s WhatsApp session on their own device.

Although the malicious applications have reportedly been removed from Google Play, users who had installed them previously are considered to have had their devices and data compromised. Experts recommend that Android users rely on devices with more recent security updates and install applications only from trusted sources.