NoVoice Android Malware - Infected 2.3 Million Devices
Basically, a harmful app called NoVoice infected millions of Android phones through Google Play.
A new Android malware named NoVoice has infected over 2.3 million devices via Google Play. This malware targets WhatsApp data, posing serious security risks. Users must take immediate action to secure their devices and data.
What Happened
A recently discovered Android malware, NoVoice, has been found hidden in over 50 apps on Google Play. These apps, which include cleaners, image galleries, and games, were downloaded at least 2.3 million times. Researchers from McAfee uncovered this operation, noting that NoVoice cleverly disguised itself by requiring no suspicious permissions and offering legitimate functionality. Once an infected app is launched, the malware attempts to gain root access by exploiting vulnerabilities in older Android versions, patched between 2016 and 2021.
The infection process is intricate. The malware conceals malicious components within the com.facebook.utils package, blending them with legitimate Facebook SDK classes. It uses steganography to hide an encrypted payload inside a PNG image file, which is then extracted and loaded into the device’s memory. This stealthy approach allows NoVoice to evade detection while it collects sensitive device information.
Who's Being Targeted
The NoVoice malware primarily targets Android users, particularly those who download apps from Google Play without verifying their safety. McAfee researchers found that the malware avoids infecting devices in specific regions, such as Beijing and Shenzhen, and implements numerous checks to detect emulators, debuggers, and VPNs. This targeted approach suggests that the attackers are focused on maximizing their impact while minimizing detection.
Once installed, NoVoice can silently install or remove apps and inject code into any app with internet access. This capability is especially concerning for users of popular applications like WhatsApp, where the malware can extract sensitive data to replicate user sessions. The potential for widespread data theft makes this malware particularly dangerous.
What Data Was Exposed
After successfully gaining root access, NoVoice can manipulate key system libraries and establish multiple layers of persistence on the infected device. It primarily targets WhatsApp, extracting critical data such as encryption databases, Signal protocol keys, and account identifiers. This information is then sent back to the attackers, allowing them to clone the victim's WhatsApp session on their own devices.
The malware's modular design means it could potentially be adapted to target other applications, increasing the risk for users. The persistence mechanisms are particularly alarming, as they allow the malware to survive factory resets, making removal challenging for affected users.
What You Should Do
If you suspect your device may be infected with NoVoice, immediate action is necessary. McAfee has reported the malicious apps to Google, which has since removed them from the Play Store. However, users who previously installed these apps should consider their devices compromised.
To mitigate the threat, it is advised to upgrade to a device running a later security patch. Users should also only download apps from trusted publishers and remain vigilant about app permissions. Regularly updating your device and its applications can significantly reduce the risk of infection from malware like NoVoice.