NoVoice Rootkit Infected 2.3M Android Devices via Play

A rootkit called NoVoice lurked in more than 50 Google Play applications, infecting approximately 2.3 million Android devices before McAfee identified and reported it. The malware exploited vulnerabilities patched years ago to gain root access, replace system libraries, and persist through factory resets.

Google has removed the malicious applications, but users on older Android versions face a more complicated cleanup process.

How NoVoice Spread

The infected apps masqueraded as everyday utilities: cleaners, image galleries, and games. They delivered promised functionality and requested no suspicious permissions—the standard signs security-conscious users look for were absent.

McAfee found the malicious payload concealed within the com.facebook.utils package, mixing malicious code with legitimate Facebook SDK classes. An encrypted payload (enc.apk) hid inside a PNG image using steganography, extracted at runtime and loaded into memory while intermediate files were deleted to cover tracks.

This distribution method mirrors other Play Store infiltration campaigns we've covered, where legitimate-looking apps serve as trojan horses for deeper system compromise.

Exploitation Technique

NoVoice deployed 22 exploits targeting vulnerabilities patched between 2016 and 2021, including:

• Use-after-free kernel bugs
• Mali GPU driver flaws
• Various privilege escalation vulnerabilities

These aren't zero-days—they're years-old bugs that unpatched devices remain vulnerable to. Once any exploit succeeded, NoVoice disabled SELinux enforcement, eliminating Android's fundamental security layer.

The attackers implemented 15 validation checks to avoid analysis environments: emulators, debuggers, and VPN connections all triggered termination. Interestingly, devices in Beijing and Shenzhen were also excluded—possibly to avoid attracting attention from Chinese authorities.

Persistence That Survives Factory Reset

After rooting a device, NoVoice established multi-layered persistence:

1. Recovery script installation - Malware reinstalls during recovery boot
2. System crash handler replacement - The rootkit loader executes whenever the system crashes
3. System partition storage - Fallback payloads stored where factory reset doesn't touch
4. Watchdog daemon - Integrity verification runs every 60 seconds

The system partition persistence is particularly nasty. Standard factory resets only wipe user data, leaving the system partition intact. Users thinking they've cleaned their device find the infection returns after setup.

WhatsApp Credential Theft

Post-exploitation, NoVoice injected code into every launched application. The primary target: WhatsApp.

The malware extracted:

• Encryption databases
• Signal protocol keys
• Phone numbers
• Google Drive backup details

With this data, attackers can clone victims' WhatsApp sessions on their own devices—reading messages, viewing contacts, and potentially impersonating the victim. Given WhatsApp's ubiquity for personal and business communication, the impact extends beyond the infected device.

This capability aligns with the session hijacking trend dominating credential theft operations. Attackers increasingly target session tokens rather than passwords because they bypass multi-factor authentication entirely.

Command and Control

NoVoice contacted C2 servers every 60 seconds, transmitting:

• Hardware details
• Kernel version
• Android version and patch level
• Installed applications
• Root status

This reconnaissance helped attackers determine which exploits to deploy based on the device's specific configuration. The continuous check-in also enabled real-time command execution for additional payload delivery.

Google's Response

Google removed the malicious applications from Play Store and enabled Google Play Protect to block installations. According to Google: "Devices updated since May 2021 are protected from NoVoice as exploited vulnerabilities have been addressed years ago."

That statement highlights the core problem: millions of Android devices never receive security updates. Manufacturers stop supporting older models, carriers delay patches, and users don't know updates are available. NoVoice specifically targeted this vulnerable population.

What Affected Users Should Do

For devices running Android with May 2021 or newer security patches, standard removal procedures should work. For older devices:

1. Check your security patch level - Settings > About Phone > Android Security Patch Level
2. If patch level is before May 2021 - Consider the device compromised beyond simple factory reset
3. Full firmware flash - Only a complete firmware reinstall from the manufacturer will remove system partition infections
4. Consider device replacement - If manufacturer support has ended, the device cannot be properly secured

For guidance on securing mobile devices, review our online safety tips, though the most effective defense against NoVoice-style attacks is keeping devices updated.

The Android Fragmentation Problem

NoVoice's success stems directly from Android's fragmentation problem. Unlike iOS, where Apple controls both hardware and software, Android security depends on a chain of vendors:

Google patches AOSP. Chipset vendors integrate patches. Manufacturers customize and release updates. Carriers test and distribute. At each step, delays accumulate, and many devices fall off the update train entirely.

The exploits NoVoice used were patched at the AOSP level five years ago. That those patches never reached millions of devices—devices still receiving app updates through Play Store—is a systemic failure the Android ecosystem hasn't solved.

Why This Matters

2.3 million infected devices represents significant scale, but the technical sophistication is the real concern. NoVoice demonstrates that motivated threat actors can build highly persistent mobile malware using nothing but known vulnerabilities.

The WhatsApp targeting adds a commercial dimension—cloned sessions have obvious value for fraud, espionage, and account takeover. Organizations allowing WhatsApp for business communications should consider the implications of session theft from employee devices.

Mobile malware continues evolving while mobile security lags behind. NoVoice won't be the last rootkit to exploit this gap.