‘NoVoice’ Android malware on Google Play infected 2.3 million devices

Staff Editor 2026-04-01
‘NoVoice’ Android malware on Google Play infected 2.3 million devices

‘NoVoice’ Android malware on Google Play infected 2.3 million devices

https://www.bleepingcomputer.com/news/security/novoice-android-malware-on-google-play-infected-23-million-devices/

Publish Date: 2026-04-01 14:07:00

Source Domain: www.bleepingcomputer.com

A new Android malware dubbed NoVoice exploited known vulnerabilities to gain root access and has been distributed through more than 50 apps on Google Play Store, with at least 2.3 million downloads.

The apps carrying the malicious payload included cleaners, image galleries, and games. They required no suspicious permissions and provided the promised functionality.

After launching an infected app, the malware tried to obtain root access on the device by exploiting old Android vulnerabilities that received patches between 2016 and 2021.

Wiz

Researchers at cybersecurity company McAfee discovered the NoVoice operation but could not link it to a specific threat actor. However, they highlighted that the malware shared similarities with the Triada Android trojan.

App on Google Play carrying the NoVoice payloadApp on Google Play carrying the NoVoice payload
Source: McAfee

NoVoice infection chain

According to McAfee researchers, the threat actor concealed malicious components in the com.facebook.utils package, mixing them with the legitimate Facebook SDK classes.

An encrypted payload (enc.apk) hidden inside a PNG image file using steganography is extracted (h.apk) and loaded in system memory while wiping all intermediate files to eliminate traces.

McAfee notes that the threat actor avoids infecting devices in certain regions, like Beijing and Shenzhen in China, and implemented 15 checks for emulators, debuggers, and VPNs. If location permissions are not available, the malware continues the infection chain.

Validation checks performed on the infected deviceValidation checks performed on the infected device
Source: McAfee

The malware then contacts the command-and-control (C2) server and collects device information such as hardware details, kernel version, Android version (and patch level), installed apps, and root status, to determine the exploit strategy.

Next, the malware polls the C2 every 60 seconds and downloads various components for device-specific exploits designed to root the victim system.

The researchers created a map…

Source

More Stories

Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Staff Editor 2026-06-06
Three highlights in latest DHS spending bill

Three highlights in latest DHS spending bill

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy