Club Benefits
We’ve always been told that as long as we stick to the Google Play Store and avoid sideloading, our Android phones are safe. However, a sophisticated new malware campaign has just shattered that sense of security.
As reported by BleepingComputer, researchers at the cybersecurity firm McAfee have discovered 50 malicious apps that hid in plain sight on Google's official store, racking up 2.3 million downloads while quietly infecting devices with a dangerous new Android malware strain.
Just like in previous malware campaigns, these bad apps posed as system cleaners, mobile games and other utilities. When opened, the apps in question worked as intended and to avoid suspicion, they didn’t request access to unnecessary permissions which is typically a major red flag that an app is malicious.
Article continues belowAlthough Android users who installed and used these apps didn’t get the sense that anything was off, in the background, that couldn’t be further from the truth. You see, after contacting a hacker-controlled server, the apps profiled the devices they were installed on to look for exploitable weaknesses. If any are found, the new NoVoice Android malware then seizes complete and total control over an infected device, essentially turning it into a hacker’s plaything.
Here’s everything you need to know about this new malware and why it’s one of the most dangerous strains I’ve seen yet, along with some tips and tricks to help keep you and your Android smartphone safe from hackers.
A factory-reset proof infection
With most malware, performing a factory reset on one of the best Android phones should do the trick. However, with NoVoice, that won’t work because the malware burrows into the one area a system wipe can't touch.
To do so, NoVoice establishes root access by exploiting older vulnerabilities that have since been patched. Since many people don’t update their phones as often as they should — or own older devices that no longer receive security updates — the malware is able to use this to its advantage.
After being installed via one of those 50 malicious apps, the malware collects a wide variety of device information such as hardware details, the phone’s current Android version and patch level, a list of installed apps, and root status. With this info in hand, NoVoice then reaches out to a command and control (C2) server operated by the hackers. It does this every 60 seconds; in addition to sharing info on an infected device, the malware also downloads device-specific exploits used to seize root access.
According to a blog post from McAfee, its security researchers observed 22 different exploits being used by NoVoice. By exploiting known vulnerabilities, the malware is able to bypass Android’s built-in security protections and establish several layers of persistence. NoVoice even rewrites an infected device’s core system libraries to ensure that even if a victim performs a full wipe by factory resetting their phone, the malware remains installed.
NoVoice’s creators have gone to great lengths to maintain control over infected Android phones. For instance, a watchdog daemon checks the rootkit’s integrity every 60 seconds. If part of the malware has been removed, the missing components are automatically reinstalled. If the malware can't repair itself, it forces the infected device to reboot, which triggers a fresh infection from scratch.
So far, this new malware has primarily been used to target Android users in Africa, though it’s also been deployed against users in India, the U.S., and Europe. McAfee says a main reason for this is that budget devices running older versions of Android are more common in those regions. However, any Android user running an outdated security patch is squarely in its crosshairs.
The hackers behind NoVoice have primarily used the malware to target WhatsApp. When the messaging app is launched on an infected device, NoVoice extracts sensitive data to clone a victim’s WhatsApp session. This allows hackers to effectively hijack a victim’s digital identity and message their contacts in real-time.
Given the modular nature of NoVoice though, the malware could easily be reconfigured to target banking apps or any other app running on an infected device.
How to stay safe from the NoVoice malware
Fortunately, all 50 malicious apps used to spread NoVoice have been removed from the Google Play Store. However, if any of them are already on your phone, you will need to manually uninstall them. While that would normally be enough to keep you safe, the multiple levels of persistence used by this malware mean that simply deleting one of these bad apps isn't a guaranteed fix.
To see if your Android phone is at risk, you should immediately check your security patch level. This can be found by going to Settings > About Phone > Software Information. If your device’s security patch is dated before May 1, 2021, it is vulnerable to the exact exploits NoVoice uses to gain root access.
Since a standard factory reset won’t clear this infection, your only technical option is to "reflash" your phone with its official factory firmware. This process completely replaces the corrupted system files with a clean copy, but it also wipes all of your data and can be difficult for less experienced users. If your current phone is no longer receiving Android updates and security patches, the safest move is likely to start over with a brand-new Android device.
While the full list of all 50 malicious apps hasn't been released, you can still check your device for signs of infection. Open Google Play Protect which comes pre-installed on most Android phones and run a manual scan immediately.
In an email to Tom's Guide, a Google spokesperson provided further insight into how NoVoice really only affects older Android smartphones, saying:
"Android addressed the vulnerabilities this malware relies on in security updates years ago, so if your device has been updated since May 2021, it's been protected. As an added layer of defense, Google Play Protect automatically removes these apps and blocks new installs. Users should always install the latest security updates available for their device.”
Going forward, you need to be extremely selective about the apps you install. Stick to trusted developers, check ratings, and always read reviews before hitting download. In addition to keeping Google Play Protect enabled, you may also want to run one of the best Android antivirus apps alongside it for an extra layer of defense.
NoVoice marks a significant shift in the Android malware landscape, and we may see other attackers emulate its 'reset-proof' design in the future. Until then, the best defense is to keep your device updated — and if your phone is too old to receive critical security patches, it may finally be time for an upgrade
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
