GoKawiilA new Android malware named NoVoice was found on Google Play, hidden in more than 50 apps that were downloaded at least 2.3 million times.
The apps carrying the malicious payload included cleaners, image galleries, and games. They required no suspicious permissions and provided the promised functionality.
After launching an infected app, the malware tried to obtain root access on the device by exploiting old Android vulnerabilities that received patches between 2016 and 2021.
Researchers at cybersecurity company McAfee discovered the NoVoice operation but could not link it to a specific threat actor. However, they highlighted that the malware shared similarities with the Triada Android trojan.
App on Google Play carrying the NoVoice payload
Source: McAfee
NoVoice infection chain
According to McAfee researchers, the threat actor concealed malicious components in the com.facebook.utils package, mixing them with the legitimate Facebook SDK classes.
An encrypted payload (enc.apk) hidden inside a PNG image file using steganography is extracted (h.apk) and loaded in system memory while wiping all intermediate files to eliminate traces.
McAfee notes that the threat actor avoids infecting devices in certain regions, like Beijing and Shenzhen in China, and implemented 15 checks for emulators, debuggers, and VPNs. If location permissions are not available, the malware continues the infection chain.
... continue reading