- McAfee reveals NoVoice malware hidden in 50+ Google Play apps with 2.3 million downloads
- Malware exploits old Android kernel and GPU flaws, persists even after factory reset
- Injecting code into apps like WhatsApp to hijack sessions; Google has removed the apps, but infected devices remain compromised
Millions of Android devices were infected with malware that spied on their WhatsApp chats and that even a factory reset wouldn’t erase, experts have warned.
Researchers at McAfee have released an in-depth report on NoVoice, a new Android malware variant found in more than 50 apps hosted on the Google Play Store, downloaded more than 2.3 million times in total.
Normally, Google is pretty good at preventing criminals from smuggling malware onto the platform, but every now and then something slips through.
The article continues below
Cloning of WhatsApp sessions
This time it was a group of about 50 apps that worked as intended and didn’t require excessive permissions, such as accessibility, which are the usual red flags. These apps were built in different categories including utility apps, image galleries and games.
Instead of tricking users into sharing broad permissions, the apps attempted to exploit nearly two dozen different vulnerabilities, including the use-after-free kernel flaw and the Mali GPU driver flaw, all of which were patched between 2016 and 2021.
This means that the attackers went after older devices that their owners do not update or otherwise maintain.
The malware would first collect device information from infected Androids, such as hardware details, kernel version, and Android version. After that, it will receive further instructions, including the phase-two exploitation strategy.
Two things stand out: the way it establishes persistence and what it does afterwards. Among other things, the malware installs recovery scripts that replace the system crash handler and store backup payloads on the system partition. That way, when a user does a factory reset, the malware still persists.
After establishing persistence, it injects malicious code into every app launched on the device. McAfee singled out WhatsApp, saying the malware pulls sensitive data needed to replicate the victim’s session, thereby allowing the attackers to clone the victim’s WhatsApp account on their own device.
Google says it has now removed all the malicious apps, but until users do the same on their devices, they will remain compromised.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
