NoVoice the Android routkit that was hidden in Google Play apps and could survive a factory restoration

Security researchers have uncovered a sophisticated campaign aimed at Android devices that came to be camouflaged within the official application store. According to the analysis published by McAfee Labs, more than fifty legitimate applications - from cleaners and photo galleries to games - hidden a set of malicious components that the team named as NoVoice and that, together, were downloaded at least 2.3 million times from Google Play. The most disturbing thing was not the appearance of the apps, but the aggressiveness and technical level of malware that was activated once installed.( McAfee report).

The infected applications required normal permissions and performed the promised on-screen function, which facilitated their distribution. After opening any of these apps, the malicious code started a sequence of checks to determine whether the device was a valid objective: it excluded certain geographical regions - for example specific areas in China - and carried out more than a dozen checks to detect emulators, debugging and VPN connections. When conditions seemed favorable, the malware proceeded to regularly download additional components from a control server and to test a battery of specific kernel and driver exploits to get root privileges; McAfee documented up to 22 different exploits, some of them based on use-after-free vulnerabilities and GPU Mali driver failures that already had patches published between 2016 and 2021 ( Android security newsletter, May 2021).

Once the root was reached, NoVoice ceased to be simply a malicious app: it replaced critical system bookstores with "wrappers" that intercepted calls and redirected the execution to attack code. It also installed multiple persistence mechanisms, such as recovery scripts, a system failure handler replacement that acts as a rootkit charger and backup copies in the system partition. That means that malicious software can survive even a factory restoration because the partitions that host it are not erased with that operation. In addition, a surveillance demon executed every minute verifies the integrity of the rootkit and, if it detects modifications, forces rebeginnings to reactivate the infection ( SELinux documentation on Android).

The delivery vector of the additional components was equally ingenious: the attackers hid an encrypted payload within a PNG image using steganography techniques; that covert file was extracted in memory as an APK and all intermediate files were removed to make it difficult for forensic reconstruction. The malicious package was hidden within the app name space in classes with names similar to Facebook's SDK, which helped to camouflage malicious artifacts between legitimate code ( see technical details in McAfee).

With the device already in the hands of the attackers, NoVoice deployed modules that were injected into any application that the user opened. Among the capabilities observed were the silent installation and removal of apps without interaction from the owner, and a component designed to operate within any app with Internet access to extract sensitive data. McAfee documented a clear focus on the messaging: when he detected the launch of WhatsApp, the rootkit exfiltered application databases, the Signal protocol keys used by WhatsApp and other identifiers that allow clone a session. With these artifacts, attackers can replicate the victim's account on another device and thus intercept messages and contacts ( security information of WhatsApp).

The researchers failed to attribute the operation to a specific group, although they pointed out technical similarities with previous malware families such as Triada, known for its ability to implement on a systemic level on Android devices. The NoVoice modular architecture allows, in theory, the replacement of the WhatsApp module by others for different applications or services. For more context on similar threats, see Kaspersky's entry on Triada ( Triad in Kaspersky).

Google removed the identified Google Play applications after McAfee notification, which is part of the App Defense Alliance, an initiative to strengthen the review of apps within the store. However, the simple fact that these apps reached millions of downloads underlines a real risk: those who installed one of the affected applications should assume that their device is compromised. A standard restoration may not be enough; in many cases it will be necessary to go to the manufacturer to re-flashear the firmware or receive specialized support. For users who want to minimize the immediate risk, the measures pass by updating the system to the latest available security version and avoid installing applications out of confidence sources. Google and other suppliers recommend to stay in models with active support and apply monthly security patches that close the vulnerabilities exploited by NoVoice ( protection tips for Android and about the App Defense Alliance).

If you think your phone could be affected by NoVoice, it is appropriate not to try complex operations without advice: change critical passwords from a clean device and review additional measures such as two-step verification for services such as WhatsApp, and contact the manufacturer or a reliable technical service to assess the forensic reinstallation of the system. When the threat involves system-level persistence, the only complete cleaning guarantee is usually to replace or re-flashear firmware with official images. This case is also a reminder that no official store is infallible: prudence when installing applications, even on Google Play, and attention to security updates remain the best defenses against increasingly skilled threats.