A massive Android malware operation known as 'NoVoice' has infected at least 2.3 million devices through more than 50 legitimate-looking applications on the Google Play Store, according to a report by BleepingComputer.
The malicious campaign utilized various apps, including image galleries, cleaners, and games, to deliver its payload. According to the report, these apps provided their promised functionality and required no suspicious permissions, making them difficult for users to detect.
Researchers at cybersecurity firm McAfee discovered the operation. While they could not link the attack to a specific threat actor, they noted the malware shares characteristics with the known Triada Android trojan.
Deep system compromise
The malware uses a sophisticated infection chain to gain control over a device. It hides malicious components within the 'com.facebook.utils' package by mixing them with legitimate Facebook SDK classes. The attackers also use steganography to hide an encrypted payload inside a PNG image file.
Once running, NoVoice attempts to gain root access by exploiting Android vulnerabilities that were patched between 2016 and 2021. McAfee researchers observed 22 different exploits being used, including flaws in the Mali GPU driver and use-after-free kernel bugs.
Once root access is achieved, the malware disables SELinux enforcement and replaces critical system libraries, such as libandroid_runtime.so, with hooked wrappers. These wrappers intercept system calls to redirect execution to attack code.
The malware is designed for extreme persistence. It installs recovery scripts and replaces the system crash handler with a rootkit loader. Because parts of the malware are stored on the system partition, the infection can survive a factory reset.
A watchdog daemon runs every 60 seconds to ensure the rootkit's integrity. If the daemon detects that components have been tampered with, it forces the device to reboot to reload the rootkit.
To avoid detection, the malware performs 15 different checks for emulators, VPNs, and debuggers. The threat actors also specifically avoid infecting devices located in certain regions, such as Shenzhen and Beijing in China.
The primary goal of the post-exploitation phase is data theft, specifically targeting WhatsApp. The malware injects code into every app launched on the device and monitors any app with internet access.
When a user opens WhatsApp, the malware extracts encryption databases, Signal protocol keys, and account identifiers like phone numbers and Google Drive backup details. This allows attackers to replicate the victim's WhatsApp session on their own hardware.
