Android Malware Infects Over 2.3 Million Devices – Is Yours One?

Security experts at McAfee have uncovered a new piece of Android malware named NoVoice on Google Play. This malware was embedded within over 50 different Android apps and has been downloaded more than 2.3 million times.

How the malware disguises itself

The NoVoice malware was concealed in apps that posed as cleaners, photo galleries, or games, according to the US IT security news portal BleepingComputer. These apps did not request any particularly suspicious permissions during their installation, making them appear harmless while still providing the expected functionality.

Full control over infected Android devices

Once an infected app is opened, the malware aims to gain root access on the Android device by exploiting outdated Android security vulnerabilities, which were patched between 2016 and 2021. The malware then communicates with a command-and-control server (C2), transmitting data about the infected device—including hardware, kernel, Android version, installed apps, and root status—to devise an effective attack strategy.

The malware proceeds to download additional components to execute a targeted attack on the compromised device. The attacker leverages 22 distinct vulnerabilities to circumvent the device’s security systems and ultimately obtain root privileges.

After gaining root access, crucial system libraries like libandroid_runtime.so and libmedia_jni.so are replaced with altered wrappers that intercept system calls and reroute execution to the malicious code, as reported by BleepingComputer.

It survives even a reset

McAfee explains that the malware can endure a device reset: “In some cases, the infection can survive a normal factory reset, as the malicious components modify parts of the system software that are not usually replaced during such a reset.” Attackers inject controlled code into every app launched on the device, with WhatsApp being a primary target.

Security experts have not yet identified the creators behind the malware; however, researchers have noted similarities to the Android Trojan Triada, which has previously caused numerous infections.

The best protection: install all security updates

Google has now removed the infected apps from Google Play. Nevertheless, if the apps were already installed, the device remains compromised.

There is, however, an effective safeguard: As NoVoice exploits security vulnerabilities patched by May 2021, upgrading to a device with a newer security patch mitigates this threat. It is crucial to update your Android device to the latest software version, or replace it if an update is not possible.

We recommend replacing any phone that has been left unprotected by security updates for an extended period, and we have recommendations for the best phones and best budget phones we’ve tested.

McAfee adds: “To completely remove the infection, the device’s firmware may need to be reinstalled, which is not something most users can easily do themselves.”

These Android devices are safe

Android devices running a current version of Android with all available security updates installed are considered safe. McAfee states: “On older or unpatched Android devices, the malware can install an extremely persistent infection that may even survive a standard factory reset. Although newer Android devices with up-to-date security measures are not vulnerable to the root exploit observed in this campaign, they may still be exposed to other types of malicious activity via these apps.”

You can read McAfee’s detailed analysis to find out more.

How to protect yourself

Only install apps from Google Play, and never from other app stores (although that wouldn’t have helped in this case). Enable Google Play Protect and install a virus scanner.

Before downloading any app, check its permissions, the number of downloads, and read the reviews on Google Play. Always install all Android security updates as soon as they’re available.

More on Android: