A new Android malware called NoVoice has been discovered on Google Play. The malware was hidden inside over 50 apps, many of which appeared normal and worked as expected, but together they infected over 2.3 million devices.
According to researchers at McAfee, the infected apps included cleaners, gallery apps, and simple games. These apps did not ask for suspicious permissions, which made them harder to detect.
Once installed, the malware quietly starts its operation in the background. It attempts to gain root access by exploiting older Android vulnerabilities. These flaws were patched between 2016 and 2021, which means devices that are not updated remain at risk.
The malicious code is hidden in a package that looks like part of Facebook’s software, making it appear legitimate. It also uses a technique called steganography, where harmful files are hidden inside image files to avoid detection. After extracting its payload, the malware removes traces of its activity and loads itself into system memory.
NoVoice includes several checks to avoid being detected. It can identify if it is running on emulators, under debugging, or behind a VPN. It also avoids infecting devices in certain regions.
Once active, it connects to a remote server and sends device information such as Android version, hardware details
The malware uses multiple exploits to gain full control of the device. Researchers observed at least 22 different exploits being used. After gaining root access, it disables key security protections and modifies system files. It replaces important libraries with malicious versions, allowing it to control how the system behaves. It also installs itself deeply into the system, making it very hard to remove. Even a factory reset may not fully clean the device, as parts of the malware can survive.
One of the main targets of NoVoice is WhatsApp. The malware can extract sensitive data such as encryption keys, account details, and backup information. This data is sent to the attacker’s server, allowing them to clone the victim’s WhatsApp account on another device. This can lead to serious privacy and security risks.
Google has removed the infected apps from the Play Store after being notified. However, users who had already installed them may still be at risk. Security experts recommend updating your device to the latest Android version with recent security patches. Devices running outdated software are more vulnerable to such attacks. Users are also advised to install apps only from trusted developers and avoid unknown or low-quality apps, even if they are available on official platforms.
This incident clearly shows that users can no longer assume apps are safe just because they are listed on Google Play. Malware like NoVoice uses advanced techniques to hide, exploit old vulnerabilities, and survive even after a reset. I have seen a growing pattern where attackers target low-quality utility apps like cleaners and galleries because users install them without much thought. This is exactly where things go wrong.
If you are using an Android device, keeping it updated is no longer optional. Devices running old security patches are easy targets. I would also strongly suggest avoiding unnecessary apps, sticking to trusted developers, and paying attention to what you install. In today’s scenario, a single careless install is enough to compromise your entire device and personal data.
To understand technical details, you can read the full technical analysis here.
