NoVoice Android Malware Targets 2.3 Million Users to Steal WhatsApp Data

Cybersecurity researchers at McAfee have uncovered a large-scale Android malware campaign known as Operation NoVoice. The malware was distributed through more than 50 applications on the Google Play Store, resulting in at least 2.3 million downloads.

The infected applications were disguised as common utility tools, including image galleries, cleaners, and games. These apps provided the functionality they promised and did not request any suspicious permissions, allowing them to bypass standard user scrutiny and detection mechanisms.

Technical Execution and Infection Chain

The NoVoice operation utilizes a sophisticated infection chain to gain deep access to the Android operating system. According to McAfee, the threat actors concealed malicious components within the com.facebook.utils package, blending them with legitimate Facebook SDK classes to avoid detection.

The malware employs steganography to hide an encrypted payload, referred to as enc.apk, inside a PNG image file. Once extracted as h.apk, the payload is loaded directly into the system memory. The malware then wipes all intermediate files to eliminate traces of its activity on the device.

To ensure the success of the infection, the malware performs 15 different checks to determine if it is running on an emulator, a debugger, or through a VPN. It also avoids infecting devices located in specific regions, such as Shenzhen and Beijing in China. If location permissions are unavailable, the malware proceeds with the infection chain regardless.

Exploiting Vulnerabilities for Root Access

Once active, NoVoice attempts to obtain root access—the highest level of administrative privilege on an Android device. It achieves this by exploiting known vulnerabilities that were patched by Google between 2016 and 2021. This targeting strategy suggests that devices running outdated Android versions or those that have missed critical security updates are most at risk.

The malware communicates with a command-and-control (C2) server to transmit detailed device information. Collected data includes the kernel version, Android version and patch level, hardware details, a list of installed applications, and the current root status. This information is used by the attackers to determine the most effective exploit strategy for that specific device.

Impact and Data Targeting

A primary objective of the NoVoice malware is the theft of WhatsApp data. By gaining root access, the malware can bypass the standard application sandboxing that normally prevents apps from accessing each other’s private data.

McAfee researchers noted that NoVoice shares similarities with the Triada Android trojan. While the specific threat actor behind Operation NoVoice has not been identified, the scale of the campaign highlights a persistent vulnerability in the Android ecosystem where legacy exploits remain effective against a significant number of active devices.

Summary of Operation NoVoice

• Distribution: Over 50 apps on the Google Play Store, including games and cleaners.
• Reach: At least 2.3 million downloads.
• Method: Steganography in PNG files and concealment within Facebook SDK classes.
• Target: Root access via vulnerabilities patched between 2016 and 2021.
• Objective: Collection of device metadata and theft of WhatsApp data.