- McAfee discovers NoVoice malware hidden in over 50 Google Play apps with 2.3 million downloads
- Malware exploits old Android kernel and GPU flaws and persists even after factory reset
- Injects code into apps like WhatsApp to hijack sessions; Google removed apps but infected devices remain compromised
Millions of Android devices have been infected with malware spying on their WhatsApp chats that even a factory reset could not erase, experts have warned.
McAfee researchers have released a detailed report on NoVoice, a new Android malware variant found in more than 50 apps hosted on the Google Play Store, downloaded more than 2.3 million times in total.
Usually, Google does a pretty good job of stopping criminals from introducing malware onto the platform, but every now and then something manages to slip through.
Article continues below
Cloning WhatsApp sessions
This time it was a group of around 50 apps that worked as expected and didn’t require excessive permissions, like accessibility, which are the usual red flags. These apps have been created in different categories including utility apps, image galleries, and games.
Instead of tricking users into sharing broad permissions, the apps attempted to exploit nearly two dozen different vulnerabilities, including use-after-free kernel bugs and Mali GPU driver flaws, all of which were patched between 2016 and 2021.
This means that the attackers were looking for older devices that their owners were not updating or maintaining.
The malware would first collect device information from infected Android devices such as hardware details, kernel version, and Android version. After that, he would receive further instructions, including a strategy for operating the second stage.
Two things stand out: how it establishes persistence and what it does afterward. Among other things, the malware installs recovery scripts that override the system crash handler and store rescue payloads on the system partition. This way, when a user performs a factory reset, the malware persists.
After establishing persistence, it injects malicious code into every application launched on the device. McAfee pointed the finger at WhatsApp, saying the malware extracts sensitive data needed to replicate the victim’s session, allowing attackers to clone the victim’s WhatsApp account onto their own device.
Google says it has removed all malicious apps, but until users do the same on their devices, they will remain compromised.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
