:strip_icc():format(jpeg)/kly-media-production/medias/5546897/original/083830700_1775379475-SparkCat_Kembali_Ancam_Pengguna__App_Store_dan_Google_Play_Kebobolan.jpg "2.3 Million Android Users Hit by No Voice Malware Targeting WhatsApp")
2.3 Million Android Users Hit by No Voice Malware Targeting WhatsApp
- Security researchers at McAfee have uncovered a sophisticated Android rootkit campaign, tracked as Operation NoVoice, which has infected at least 2.3 million devices.
- Unlike many malicious applications that trigger security warnings by requesting excessive permissions—such as Accessibility services—these apps functioned as intended and did not request suspicious permissions, allowing them to...
- The malware exploits known vulnerabilities in old Android kernels and GPU flaws to gain root access to the infected device.
Security researchers at McAfee have uncovered a sophisticated Android rootkit campaign, tracked as Operation NoVoice, which has infected at least 2.3 million devices. The malware was distributed through more than 50 applications hosted on the Google Play Store, spanning various categories including games, image galleries, and utility apps.
Unlike many malicious applications that trigger security warnings by requesting excessive permissions—such as Accessibility services—these apps functioned as intended and did not request suspicious permissions, allowing them to bypass standard detection methods and smuggle malicious components onto user devices.
Technical Exploitation and Persistence
NoVoice is characterized by its high level of persistence. The malware exploits known vulnerabilities in old Android kernels and GPU flaws to gain root access to the infected device. Once root access is achieved, the malware can embed itself deeply within the system.
A critical aspect of this threat is that a standard factory reset is insufficient to remove the infection. Because the rootkit operates at a level below the operating system’s standard recovery processes, it remains on the device even after the user attempts to wipe the data and reset the phone to factory settings.
Targeting WhatsApp and Data Theft
The primary objective of the NoVoice malware is the theft of sensitive data, specifically targeting WhatsApp. The malware is designed to inject code into WhatsApp to hijack user sessions and spy on private chats.
To avoid detection by security software and system monitors, the operation concealed its malicious components within the com.facebook.utils
package. By blending in with legitimate Facebook-related utility files, the malware was able to operate undetected while stealing data from the messaging platform.
Distribution and Mitigation
The scale of the infection highlights a significant gap in the Google Play Store’s vetting process. The malware reached 2.3 million downloads across more than 50 different apps. These apps were designed to appear benign and perform their stated functions, which helped them remain on the platform long enough to achieve a massive reach.
Google has since removed the identified malicious applications from the Play Store. However, security experts warn that removing the apps from the store does not resolve the issue for users who have already downloaded them. Because the malware gains root access and persists after factory resets, infected devices remain compromised even after the source app is gone.
This campaign underscores the ongoing risk posed by kernel-level vulnerabilities in older Android versions. By targeting these flaws, attackers can bypass the Android security sandbox and gain total control over the device hardware and software, making the removal process exceptionally difficult for the average user.