Widespread NoVoice Android rootkit campaign with 2.3M downloads abuses steganography and patchable flaws

First reported

01.04.2026 21:07

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A widespread Android malware campaign named NoVoice infected at least 2.3 million devices via 50+ Google Play apps masquerading as cleaners, galleries, and games. The malware exploited older, patched Android vulnerabilities (2016–2021) to achieve root access, including use-after-free kernel issues and Mali GPU driver flaws, before disabling SELinux and replacing system libraries with rootkits. Post-exploitation, the attackers injected code into running apps, primarily targeting WhatsApp to extract encryption databases, Signal protocol keys, and account identifiers for session hijacking. Persistence mechanisms ensure survival across factory resets, and the campaign avoided specific Chinese regions while evading detection via emulator, debugger, and VPN checks.

Timeline

01.04.2026 21:07 1 articles · 2h ago

NoVoice Android rootkit campaign with WhatsApp session hijacking hits 2.3 million devices via Google Play
A rootkit-based Android malware campaign named NoVoice infected over 2.3 million devices through 50+ Google Play apps, including cleaners, galleries, and games. The malware exploited patched Android vulnerabilities (2016–2021) to gain root access, disable SELinux, and replace system libraries with rootkits that persist across factory resets. Initial payloads were concealed via PNG steganography and injected into running apps, primarily targeting WhatsApp to extract encryption databases, Signal protocol keys, and account identifiers for session cloning. Malicious apps were removed from Google Play after reporting by McAfee, but users with active infections should assume device and data compromise.
Show sources

'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Open in new tab

Information Snippets

Malware named NoVoice distributed through 50+ Google Play apps with over 2.3 million total downloads.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Infected apps included cleaners, image galleries, and games, requiring no overtly suspicious permissions.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Exploited vulnerabilities patched between 2016 and 2021, including use-after-free kernel bugs and Mali GPU driver flaws.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Malware concealed malicious components within the com.facebook.utils package, intermingling with legitimate Facebook SDK code.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Initial payload delivered via PNG image steganography, extracting an encrypted APK (enc.apk → h.apk) loaded in memory and deleting intermediate files.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
C2 communication occurs every 60 seconds to fetch device-specific exploit components based on collected hardware, kernel, Android version, and patch level.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Post-root, system libraries libandroid_runtime.so and libmedia_jni.so were replaced with hooked wrappers to intercept system calls and redirect execution.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Persistence mechanisms include recovery scripts, replacement of the system crash handler, and fallback payloads stored on the system partition that survive factory resets.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
A watchdog daemon checks rootkit integrity every 60 seconds and forces a reboot if compromised, ensuring reload of malicious components.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Post-exploitation code injection targeted WhatsApp to extract encryption databases, Signal protocol keys, phone numbers, and Google Drive backup details for session cloning.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Campaign avoided infection in Beijing and Shenzhen; implemented 15 checks for emulators, debuggers, and VPNs before proceeding.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07
Malicious apps were removed from Google Play after McAfee, part of the App Defense Alliance, reported them to Google.
First reported: 01.04.2026 21:07

1 source, 1 article
Show sources
- 'NoVoice' Android malware on Google Play infected 2.3 million devices — www.bleepingcomputer.com — 01.04.2026 21:07

Summary

Timeline

NoVoice Android rootkit campaign with WhatsApp session hijacking hits 2.3 million devices via Google Play

Information Snippets