Millions of Android Devices Hit by ‘NoVoice’ Malware Distributed via Google Play Store
A sophisticated Android malware strain dubbed “NoVoice” has infected at least 2.3 million devices, bypassing Google Play Store security through more than 50 seemingly innocent applications. The campaign highlights a critical vulnerability for users on older hardware, as the malware specifically targets outdated systems to gain deep-level control.
Researchers at cybersecurity firm McAfee discovered the operation, noting that the malicious payload was hidden within a variety of apps, including mobile games, image galleries, and system cleaners. To avoid detection, these apps provided their promised functionality and did not request any suspicious permissions, which typically serve as a red flag for users and security scanners.
The NoVoice infection chain is particularly deceptive. According to McAfee, threat actors concealed malicious components within the com.facebook.utils package, mixing them with legitimate Facebook SDK classes to blend in. The malware utilizes steganography to hide an encrypted payload (enc.apk) inside a PNG image file. Once extracted as h.apk, the payload is loaded directly into the system memory, and all intermediate files are wiped to remove any forensic evidence of the intrusion.
Once active, the malware attempts to obtain root access by exploiting known Android vulnerabilities that were patched between 2016 and 2021. This capability makes the malware potentially undeletable on older smartphones, allowing it to secretly monitor every application the user opens. This move underscores the ongoing danger posed to users who fail to update their device software.
The threat actors behind NoVoice implemented rigorous evasion techniques to avoid analysis. The malware performs 15 different checks to detect the presence of VPNs, debuggers, or emulators. The operation intentionally avoids infecting devices in specific Chinese regions, such as Shenzhen and Beijing. If location permissions are unavailable, the malware simply proceeds with the infection chain.
After bypassing these checks, the malware communicates with a command-and-control (C2) server to profile the infected device. It collects detailed information—including the Android version, patch level, kernel version, hardware details, installed apps, and current root status—to determine the most effective exploit strategy for that specific device.
While McAfee could not link the operation to a specific threat actor, researchers highlighted that NoVoice shares significant similarities with the Triada Android trojan. This evolution in malware delivery suggests that even official app stores can be leveraged to distribute high-level threats if they can successfully mimic legitimate SDKs and exploit legacy vulnerabilities.
