CP
cyberpings
Malware & RansomwareHIGH

NoVoice - Dangerous Android Rootkit Attacks Millions Worldwide

Featured image for NoVoice - Dangerous Android Rootkit Attacks Millions Worldwide
CSCyber Security News
NoVoiceAndroid RootkitMalwareMcAfeeGoogle Play
🎯

Basically, a sneaky app called NoVoice is secretly taking control of millions of Android phones.

Quick Summary

A new Android rootkit called NoVoice has infiltrated over 50 apps on Google Play, affecting millions. Users in various countries are at risk, especially those with older devices. Google has removed the malicious apps, but vigilance is crucial for protection.

What Happened

A dangerous Android rootkit, known as NoVoice, has infiltrated over 50 apps on Google Play, affecting more than 2.3 million devices globally. This malware, tracked under Operation NoVoice, utilizes 22 exploits to gain full control of infected devices without raising any alarms. The apps masquerade as harmless tools, such as phone cleaners and casual games, making it difficult for users to detect the threat.

How It Works

Once a user opens an infected app, the malware activates without any further interaction. It employs malicious code hidden within the app's Facebook SDK initialization path, allowing it to run silently in the background. The malware utilizes clever techniques, such as embedding an encrypted payload in a normal-looking image file, to evade security scans.

Before executing its malicious actions, NoVoice conducts 15 verification checks to ensure it is not running in a controlled environment, such as emulators or debuggers. If the device passes these checks, it connects to a command-and-control (C2) server and downloads specific root exploits tailored to the device's chipset and kernel version.

Who's Being Targeted

The reach of this campaign is particularly concerning, with the highest infection rates reported in countries like Nigeria, Ethiopia, Algeria, India, and Kenya. These regions often have older, unpatched Android devices, making them more susceptible to exploitation. Users in these areas should remain vigilant, as their devices are at serious risk if they run Android versions lower than 7.

Signs of Infection

Users may not notice any immediate symptoms, as NoVoice operates quietly. However, if you suspect your device might be infected, look for unusual behavior, such as unexpected app crashes or performance issues. The malware is designed to maintain a persistent presence, automatically reinstalling itself if any components are removed.

How to Protect Yourself

To safeguard against NoVoice, users should:

  • Ensure their devices are updated to at least the May 1, 2021 security patch level.
  • Perform a full firmware reflash if they suspect infection, as a factory reset will not eliminate the rootkit.
  • Download apps only from trusted developers and be cautious with utility and gaming applications.
  • Block known C2 domains at the network level to disrupt the infection chain.

Following the responsible disclosure by McAfee, Google has removed all identified apps and banned the associated developer accounts. However, the threat remains significant, especially for users with outdated devices. Staying informed and proactive is essential to mitigate the risks posed by this silent yet powerful malware.

🔒 Pro insight: The stealthy nature of NoVoice highlights the need for enhanced app vetting processes on platforms like Google Play.

Original article from

CSCyber Security News· Tushar Subhra Dutta
Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malicious Chrome Extension Steals ChatGPT Conversations

A new malicious Chrome extension is stealing ChatGPT conversations and sending them to a hidden Discord channel. This poses serious privacy risks for users. Stay informed and protect your data.

Cyber Security News·
HIGHMalware & Ransomware

Claude Code Source Leak - Malware Exploits Developers' Trust

A source code leak of Anthropic's Claude Code tool has led to malware disguised as 'unlocked' software. Developers are at risk of downloading harmful files. Stay vigilant and verify sources to protect against these threats.

Help Net Security·
HIGHMalware & Ransomware

Venom Stealer - New Malware Turns ClickFix Lures Into Threats

Venom Stealer is a new malware that automates data theft through ClickFix lures. It continuously exfiltrates sensitive information, posing a serious risk to victims. Organizations must implement strong defenses to combat this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

Phorpiex Botnet - Spreading Ransomware and Sextortion Tactics

The notorious Phorpiex botnet is back, spreading ransomware and sextortion schemes. Millions are at risk as it targets users globally. Stay alert and protect your devices from this evolving threat.

Cyber Security News·
HIGHMalware & Ransomware

SparkCat Variant - New Malware Steals Crypto Wallet Images

A new SparkCat malware variant has been found in iOS and Android apps, targeting crypto wallet recovery phrases. This poses a significant risk to users. Stay vigilant and protect your data!

The Hacker News·
HIGHMalware & Ransomware

Ransomware Intrusion - North Dakota Water Treatment Facility Hit

A ransomware attack hit the Minot Water Treatment Plant, disrupting operations for 16 hours. Fortunately, the water supply remained safe. This incident underscores the vulnerabilities in critical infrastructure.

SC Media·