Android Malware Infects Over 2.3 Million Devices – Is Yours One?

McAfee’s security experts have recently uncovered a new Android malware called NoVoice on Google Play. This malware was hidden within more than 50 different Android apps and has been downloaded at least 2.3 million times.

How the malware disguises itself

The NoVoice malware was concealed within apps posing as cleaners, photo galleries, or games, as revealed by the US IT security news portal BleepingComputer. These apps do not request any suspicious permissions during installation, blending in seamlessly while delivering their promised functionalities.

Full control over infected Android devices

Upon launching the infected app, the malware seeks to gain root access on the Android device by exploiting outdated security vulnerabilities from 2016 to 2021. It then communicates with a command-and-control server (C2) to share device data such as hardware details, Android version, installed apps, and root status, enabling the formulation of an attack strategy.

Subsequently, the malware downloads additional components to execute targeted attacks on the compromised Android device. By leveraging 22 different vulnerabilities, the attacker circumvents the device’s security mechanisms to ultimately acquire root privileges.

After rooting the device, critical system libraries like libandroid_runtime.so and libmedia_jni.so are replaced with manipulated wrappers that intercept system calls and redirect execution to the attack code, according to BleepingComputer.

It survives even a reset

Remarkably, the malware can persist even after a device reset, as explained by McAfee: “In some instances, the infection can endure a standard factory reset, as the malicious components alter parts of the system software not typically reset.” It injects attacker-controlled code into every app launched on the device, with WhatsApp being a primary target.

While the creators of the malware remain unidentified, researchers note similarities to the Android Trojan Triada, known for previous infections.

The best protection: install all security updates

Google has removed the infected apps from Google Play. However, devices that already downloaded these apps remain infected.

Fortunately, NoVoice targets security vulnerabilities patched by May 2021, mitigating this threat by upgrading to a device with a newer security patch. Ensure you update your Android device to the latest software version or replace it if necessary.

It is recommended to replace any phone lacking security updates for an extended period. Additionally, suggestions for the best phones and budget phones are available based on testing.

McAfee advises: “To completely eliminate the infection, the device’s firmware may require reinstallation, a task not easily performed by most users.”

These Android devices are safe

Android devices running current Android versions with all security updates installed are considered safe. McAfee emphasizes that older or unpatched devices may succumb to a persistent infection surviving a standard factory reset. While newer devices with updated security measures are immune to the root exploit in this campaign, they could still face other malicious activities via these apps.

For further details, refer to McAfee’s comprehensive analysis.

How to protect yourself

Strictly install apps from Google Play and enable Google Play Protect while installing a reliable virus scanner.

Prior to downloading any app, review its permissions, download count, and Google Play reviews. Timely installation of all Android security updates is crucial.

More on Android: