NoVoice Android malware steals WhatsApp data via Google Play apps

A new Android malware, dubbed NoVoice, was discovered hidden within over 50 applications on Google Play, accumulating at least 2.3 million downloads. These apps, including cleaners, image galleries, and games, deceptively required minimal permissions and offered their advertised functionality. After launching, the malware attempted to gain root access by exploiting older Android vulnerabilities patched between 2016 and 2021, according to Bleeping Computer.The NoVoice operation, identified by McAfee, concealed malicious components within the com.facebook.utils package, blending them with legitimate Facebook SDK classes. It employed steganography to hide an encrypted payload within a PNG file, which was then extracted and loaded into system memory. The malware avoided devices in specific regions and implemented numerous checks for emulators and VPNs before contacting a command-and-control server to gather device information and download exploits. McAfee observed 22 exploits, including kernel and GPU driver flaws, to gain root access and disable security features like SELinux. Post-exploitation, it injected code into all launched apps, deploying components for silent app management and data theft, primarily targeting WhatsApp by exfiltrating session data to clone user accounts.The persistence mechanisms employed by NoVoice, including replacing system libraries and installing recovery scripts, allow it to survive factory resets. This sophisticated rootkit highlights the ongoing challenges in mobile security, even within official app stores. While Google has removed the malicious apps, users who downloaded them should consider their devices compromised. Mitigation involves updating Android devices to versions with recent security patches, ideally post-May 2021, and exclusively downloading apps from trusted publishers to prevent future infections.Source:Bleeping Computer