Android Malware Infects Over 2.3 Million Devices – Is Yours One?

Security experts at McAfee have discovered a new piece of Android malware called NoVoice on Google Play. The malware was hidden within over 50 different Android apps and has been downloaded at least 2.3 million times.

How the malware disguises itself

The apps in which NoVoice was hidden disguise themselves as cleaners, photo galleries or games, as reported by the US IT security news portal BleepingComputer. The apps don’t request any particularly suspicious permissions during installation, making them inconspicuous, especially as they deliver the promised functionality.

Full control over infected Android devices

Once the infected app is launched, the malware attempts to gain root access on the Android device by exploiting old Android security vulnerabilities for which patches were released between 2016 and 2021. The malware then contacts the command-and-control server (C2) and sends it data about the infected Android device – hardware, kernel, Android version, installed apps and root status – in order to determine the correct attack strategy.

The malware then downloads further components to enable a targeted attack on the affected Android device. The attacker exploits 22 different vulnerabilities to bypass the Android device’s security mechanisms and ultimately gain root privileges.

After rooting the device, important system libraries such as libandroid_runtime.so and libmedia_jni.so are replaced by manipulated wrappers that intercept system calls and redirect execution to the attack code, as BleepingComputer reports.

It survives even a reset

The malware could even survive a device reset, as McAfee explains: “In some cases, the infection can survive a normal factory reset, as the malicious components modify parts of the system software that are not usually replaced during such a reset.” It injects code controlled by attackers into every app launched on the device. WhatsApp is said to be a primary target.

Security experts have not yet been able to identify who’s behind the malware. However, the researchers highlight similarities to the Android Trojan Triada, which has already been responsible for infections on several occasions.

The best protection: install all security updates

Google has now removed the infected apps from Google Play. However, if you’ve already installed the apps, your device remains infected.

There is, however, a good safeguard: as NoVoice targets security vulnerabilities that were patched by May 2021, this threat in its current form is effectively mitigated by upgrading to a device with a newer security patch. You should therefore ensure you update your Android device to the latest software version or replace it if you can’t.

We’d advise replacing any phone that hasn’t been protected by security updates for that long, and we have recommendations for the best phones and best budget phones we’ve tested.

McAfee adds: “To completely remove the infection, the device’s firmware may need to be reinstalled, which is not something most users can easily do themselves”.

These Android devices are safe

Android devices running a current version of Android with all available security updates installed should therefore be safe. McAfee writes: “On older or unpatched Android devices, the malware can install an extremely persistent infection that may even survive a standard factory reset. Although newer Android devices with up-to-date security measures are not vulnerable to the root exploit observed in this campaign, they may still be exposed to other types of malicious activity via these apps.”

You can read McAfee‘s detailed analysis to find out more.

How to protect yourself

Only install apps from Google Play, and never from other app stores (although that wouldn’t have helped in this case). Enable Google Play Protect and install a virus scanner.

Before downloading any app, check its permissions, the number of downloads, and read the reviews on Google Play. Always install all Android security updates as soon as they’re available.

More on Android: