{"id":231943,"date":"2026-04-01T14:07:00","date_gmt":"2026-04-01T18:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/01\/novoice-android-malware-on-google-play-infected-2-3-million-devices\/"},"modified":"2026-04-06T19:15:20","modified_gmt":"2026-04-06T23:15:20","slug":"novoice-android-malware-on-google-play-infected-2-3-million-devices","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/01\/novoice-android-malware-on-google-play-infected-2-3-million-devices\/","title":{"rendered":"‘NoVoice’ Android malware on Google Play infected 2.3 million devices"},"content":{"rendered":"

‘NoVoice’ Android malware on Google Play infected 2.3 million devices<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/novoice-android-malware-on-google-play-infected-23-million-devices\/<\/a><\/p>\n

Publish Date: 2026-04-01 14:07:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

A new Android malware dubbed NoVoice exploited known vulnerabilities to gain root access and has been distributed through more than 50 apps on Google Play Store, with at least 2.3 million downloads.<\/p>\n

The apps carrying the malicious payload included cleaners, image galleries, and games. They\u00a0required no suspicious permissions and provided the promised functionality.<\/p>\n

After launching an infected app, the malware tried to obtain root access on the device by exploiting\u00a0old Android vulnerabilities that received patches\u00a0between 2016 and 2021.<\/p>\n

\"Wiz\"<\/p>\n

Researchers at cybersecurity company McAfee discovered the NoVoice operation but could not link it to a specific threat actor. However, they highlighted that the malware shared similarities with the\u00a0Triada Android trojan.<\/p>\n

\"AppApp on Google Play carrying the NoVoice payload<\/strong>
Source: McAfee<\/p>\n

NoVoice infection chain<\/h3>\n

According to McAfee researchers, the threat actor concealed malicious components in the\u00a0com.facebook.utils package, mixing them with the legitimate Facebook SDK classes.<\/p>\n

An encrypted payload (enc.apk) hidden inside a PNG image file using steganography is extracted (h.apk) and loaded in system memory\u00a0while wiping all intermediate files to eliminate traces.<\/p>\n

McAfee notes that the threat actor avoids infecting devices in certain regions,\u00a0like Beijing and Shenzhen in China, and implemented 15 checks for emulators, debuggers, and VPNs. If location permissions are not available, the malware continues the infection chain.<\/p>\n

\"ValidationValidation checks performed on the infected device<\/strong>
Source: McAfee<\/p>\n

The malware then contacts the command-and-control (C2) server and collects device information such as hardware details, kernel version, Android version (and patch level), installed apps, and root status, to determine the exploit strategy.<\/p>\n

Next, the malware polls the C2 every 60 seconds and downloads various components for device-specific exploits designed to root the victim system.<\/p>\n

The researchers created a map…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

‘NoVoice’ Android malware on Google Play infected 2.3 million devices https:\/\/www.bleepingcomputer.com\/news\/security\/novoice-android-malware-on-google-play-infected-23-million-devices\/ Publish Date: 2026-04-01 14:07:00…<\/p>\n","protected":false},"author":1,"featured_media":231944,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.bleepstatic.com\/content\/hl-images\/2026\/03\/10\/android.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,32,25,34],"class_list":["post-231943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231943"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=231943"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231943\/revisions"}],"predecessor-version":[{"id":231945,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/231943\/revisions\/231945"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/231944"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=231943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=231943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=231943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}