NoVoice Attacks Millions on Google Play with 22 Explo

A dangerous Android rootkit, dubbed NoVoice, has compromised over 2.3 million devices worldwide after being discovered hidden within more than 50 applications on Google Play. For a comprehensive overview of this threat, including its 22 exploits, a full report is available [link to: `https://ppl-ai-file-upload.s3.amazonaws.

Tracked as Operation NoVoice, the malware uses 22 exploits to take full control of a device without raising any alerts, making it one of the most destructive Android threats uncovered in recent years.

The apps carrying NoVoice looked completely harmless — simple tools like phone cleaners, gallery apps, and casual games. Once opened, each app appeared to work exactly as expected, with no pop-ups, no unusual permission requests, and no visible signs of trouble.

Behind that normal-looking screen, however, the app was already reaching out to a remote server, mapping the device’s hardware and software, and preparing targeted exploits.

McAfee’s mobile research team identified the campaign and noted that the malware’s name comes from a silent audio file — R.raw.novioce — embedded in one of its later-stage payloads.

This file plays at zero volume to keep a background service alive, giving attackers a quiet, persistent foothold. The deliberate misspelling of “no voice” reflects the malware’s design: it works entirely without making a sound.

The reach of this campaign is especially alarming. Over 50 malicious apps were confirmed on Google Play before removal, accumulating at least 2.3 million downloads combined.

Users across multiple continents were affected, with the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya — regions where older, unpatched Android devices are most common.

Following McAfee’s responsible disclosure, Google removed all identified apps and banned the associated developer accounts.

Devices carrying a security patch level of May 1, 2021, or later are not vulnerable to the exploits recovered from the command-and-control server.

However, older devices running Android 7 or lower remain at serious risk, and a standard factory reset will not remove this rootkit.

How the Infection Takes Root and Stays Hidden

Once a user opens a carrier app, the infection begins without further interaction. Malicious code injected into the app’s Facebook SDK initialization path runs silently in the background.

Hidden inside what appears to be a normal image file is an encrypted payload sitting quietly after the image’s end marker — a technique built specifically to pass standard security scans undetected.

Before proceeding further, the malware runs 15 verification checks covering emulator detection, GPS geofencing, VPN use, and debugger activity.

15 validation checks before proceeding to the next stage (Source – McAfee)

Devices physically located inside Beijing and Shenzhen are excluded from the attack. If all checks pass, the malware contacts the C2 server and downloads root exploits matched to that specific device’s chipset and kernel version.

A total of 22 exploits were recovered, with one executing a three-stage kernel attack using an IPv6 use-after-free flaw, a Mali GPU driver vulnerability, and credential patching to fully disable Android’s SELinux protections.

Once root access is achieved, the rootkit replaces a core system library — libandroid_runtime.so — so that every app on the device runs attacker-controlled code at launch.

A watchdog process then checks the installation every 60 seconds and automatically reinstalls any removed components.

The only confirmed theft payload recovered was designed to clone WhatsApp sessions by extracting encryption keys and session data, though the framework is built to accept and execute any task at any time.

Users who suspect infection should perform a full firmware reflash, as a factory reset will not remove this rootkit from the system partition.

Keeping devices updated to at least the May 1, 2021, Android security patch level reduces exposure to the known exploits used in this campaign. Blocking known C2 domains at the network level can disrupt the infection chain at multiple stages.

Users should download apps only from trusted, well-reviewed developers and stay cautious with utility and gaming applications.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.