Full Report
A new Android malware named NoVoice was found on Google Play, hidden in more than 50 apps that were downloaded at least 2.3 million times. [...]
Analysis Summary
# Incident Report: Operation NoVoice - Rootkit Malware Campaign
## Executive Summary
NoVoice is a sophisticated Android rootkit malware distributed via 50+ legitimate-looking apps on Google Play, affecting over 2.3 million devices. The malware exploits legacy Android vulnerabilities to gain root access, establishes persistence in the system partition to survive factory resets, and specifically targets WhatsApp sessions for cloning and data theft. All identified malicious applications have been removed from Google Play, but previously infected devices remain compromised.
## Incident Details
- **Discovery Date:** April 1, 2026 (Public release)
- **Incident Date:** 2016 – 2026 (Exploitation of vulnerabilities spanning this period)
- **Affected Organization:** Android Users (via Google Play Store)
- **Sector:** Telecommunications / Mobile Software
- **Geography:** Global (with exclusion of specific regions like Beijing and Shenzhen, China)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing through early 2026
- **Vector:** Supposedly legitimate utility apps (cleaners, galleries, games) on Google Play.
- **Details:** Attackers hid malicious components within the `com.facebook.utils` package, blending with legitimate Facebook SDK classes.
### Lateral Movement
- **Movement Type:** Local Privilege Escalation.
- **Details:** The malware pivots from the sandbox of the infected app to the Android system level by deploying device-specific exploits (e.g., kernel use-after-free and Mali GPU driver flaws).
### Data Exfiltration/Impact
- **WhatsApp Cloning:** Stole Signal protocol keys, encryption databases, and Google Drive backup details.
- **System Integrity:** Hooked system libraries (`libandroid_runtime.so`) to intercept system calls across all applications.
### Detection & Response
- **Discovery:** Identified by McAfee researchers via behavioral analysis and steganography detection.
- **Response Actions:** McAfee reported findings to Google via the App Defense Alliance; Google removed the 50+ apps from the Play Store.
## Attack Methodology
- **Initial Access:** Trojanized applications on the official Google Play Store.
- **Persistence:** Storing payloads on the system partition (survives factory resets), replacing the system crash handler, and installing recovery scripts.
- **Privilege Escalation:** Exploitation of 22 different vulnerabilities (patched between 2016-2021) to obtain a root shell.
- **Defense Evasion:** 15 validation checks for emulators, VPNs, and debuggers; use of steganography (hiding APKs in PNG files); wiping intermediate files after execution; disabling SELinux.
- **Credential Access:** Extraction of WhatsApp Signal protocol keys and account identifiers.
- **Discovery:** Polling device info (kernel version, patch level, root status) to select the appropriate exploit.
- **Lateral Movement:** Injecting code into every newly launched application on the device.
- **Collection:** Gathering WhatsApp databases and messaging session metadata.
- **Exfiltration:** Data sent to C2 server via modules running within internet-enabled apps.
- **Impact:** Disabling fundamental Android security (SELinux), silent installation/removal of apps, and session hijacking.
## Impact Assessment
- **Financial:** Unknown; potential for financial theft via cloned messaging sessions and secondary app installations.
- **Data Breach:** Compromise of WhatsApp messages and metadata for 2.3 million users.
- **Operational:** System-level compromise; malware persists even after factory reset.
- **Reputational:** Degradation of trust in the Google Play Store environment.
## Indicators of Compromise
- **File indicators:**
- `enc.apk` (Encrypted payload)
- `h.apk` (Decrypted payload)
- `com.facebook.utils` (Maliciously modified package)
- `libandroid_runtime.so` / `libmedia_jni.so` (Modified/Hooked versions)
- **Behavioral indicators:**
- Device reboots every 60 seconds if rootkit components are tampered with.
- Polling of C2 server on a 60-second interval.
## Response Actions
- **Containment:** Google removed the malicious publisher accounts and apps from the Play Store.
- **Eradication:** Detection signatures updated in McAfee and Play Protect.
- **Recovery:** Users advised to upgrade to devices/firmware with security patches post-May 2021.
## Lessons Learned
- **SDK Mimicry:** Attackers are increasingly blending malicious code with popular third-party SDKs (like Facebook) to bypass automated scans.
- **Persistence Maturity:** Modern mobile malware has evolved to reside in the system partition, making standard user remediation (factory reset) ineffective.
- **Patch Gaps:** A significant portion of the Android user base remains on hardware that is no longer receiving security updates, providing a large attack surface for old exploits.
## Recommendations
- **Device Management:** Phase out and replace Android devices that are no longer receiving security updates (specifically those with patch levels older than June 2021).
- **App Governance:** Limit app installations to trusted developers and minimize the number of utility apps (cleaners, flashlights) which are high-risk categories.
- **Monitoring:** Implement mobile threat defense (MTD) solutions that check for system library integrity and root status changes.