'This rootkit is highly persistent; a standard factory reset will not remove it': "NoVoice" Android malware on Google Play infects 50 apps across 2.3 million devices, here's what we know

News
By published

"NoVoice" Android malware persists even after a factory reset

WhatsApp on smartphone in a hand
(Image credit: Anton/Pexels)
  • McAfee uncovers NoVoice malware hidden in 50+ Google Play apps with 2.3 million downloads
  • Malware exploits old Android kernel and GPU flaws, persists even after factory reset
  • Injects code into apps like WhatsApp to hijack sessions; Google has removed apps but infected devices remain compromised

Millions of Android devices were infected with malware spying on their WhatsApp chats and that even a factory reset wouldn’t wipe, experts have warned.

Researchers at McAfee have published an in-depth report on NoVoice, a new Android malware variant found in more than 50 apps hosted on the Google Play store, downloaded more than 2.3 million times combined.

Usually, Google is quite good at preventing criminals from smuggling malware onto the platform, but every now and then, something makes it through.

Article continues below

Cloning WhatsApp sessions

This time around, it was a group of around 50 apps that worked as intended and did not require excessive permissions, such as Accessibility, which are the usual red flags. These apps were built in different categories, including utility apps, image galleries, and games.

Instead of tricking users into sharing broad permissions, the apps tried to leverage almost two dozen different vulnerabilities, including use-after-free kernel bugs and Mali GPU driver flaws, all of which were patched between 2016 and 2021.

That means that the attackers were going for older devices that their owners don’t update or otherwise maintain.

The malware would first collect device information from infected Androids, such as hardware details, kernel version, and Android version. After that, it would receive further instructions, including stage-two exploit strategy.

Two things stand out: the way it establishes persistence, and what it does afterwards. Among other things, the malware installs recovery scripts that replace the system crash handler and store fallback payloads on the system partition. That way, when a user does a factory reset, the malware still persists.

After establishing persistence, it injects malicious code into every app launched on the device. McAfee singled out WhatsApp, saying that the malware pulls sensitive data needed to replicate the victim’s session, thus allowing the attackers to clone the victim’s WhatsApp account on their own device.

Google says it has now removed all of the malicious apps, but until users do the same on their devices, they will remain compromised.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.