NoVoice is a new Android threat found in over 50 Google Play apps with at least 2.3 million installs that uses steganography and a suite of exploits to obtain root and install a persistent rootkit. It injects into apps to steal sensitive data—most notably WhatsApp encryption keys and backups—allowing attackers to clone accounts; #NoVoice #WhatsApp
Keypoints
- More than 50 apps on Google Play, including cleaners, galleries, and games, carried the NoVoice payload and were downloaded at least 2.3 million times.
- NoVoice hides malicious components in the com.facebook.utils package, extracts an encrypted payload from a PNG using steganography, and loads it into memory while removing traces.
- The malware attempts to gain root by chaining up to 22 exploits (patched between 2016–2021), disabling SELinux and replacing core libraries to intercept system calls.
- Persistent rootkit mechanisms survive factory resets by installing recovery scripts, replacing crash handlers, storing payloads on the system partition, and running a watchdog daemon every 60 seconds.
- Post-exploitation code injects into any app with internet access to exfiltrate data—McAfee observed WhatsApp session data, Signal keys, and backup info being stolen to enable account cloning.