A new Android rootkit campaign called NoVoice malware has been discovered hiding inside more than 50 apps on Google Play. The apps collected at least 2.3 million downloads before being removed. Researchers warn that millions of devices may still be compromised.
What Is NoVoice Malware?
NoVoice malware is a rootkit. That means it burrows into the deepest layers of a device’s operating system, well below the level where standard security tools can see it. Once installed, it gives attackers near-total control of the infected phone while staying completely invisible to the user.
McAfee’s mobile research team uncovered the campaign, tracked as Operation NoVoice. The apps carrying the malicious payload looked completely ordinary. They posed as phone cleaners, casual games, and photo gallery tools. Each one worked as advertised and asked for no unusual permissions. Nothing about them raised suspicion.
How the Attack Works
The attack begins the moment a user opens an infected app. In the background, the app contacts a remote server controlled by the attackers. That server profiles the device, collecting details about its hardware, operating system version, and security patch level. It then sends back a tailored set of exploits designed for that specific device.
NoVoice malware draws on 22 known Android vulnerabilities, all patched between 2016 and 2021. On devices that never applied those updates, the malware exploits kernel-level bugs and GPU driver flaws to gain root access. It also disables SELinux, Android’s built-in security enforcement layer, removing a fundamental layer of protection.
After gaining root privileges, the malware replaces core system libraries with modified versions. Those versions silently intercept every app running on the device. From that point forward, every application the user opens runs attacker-controlled code.
Persistence That Survives a Factory Reset
NoVoice malware installs multiple layers of persistence, including recovery scripts and fallback payloads stored in the system partition. That part of storage survives a standard factory reset intact.
On older Android devices running version 7 or below, full removal may require reflashing the device firmware. For most users, that is not a realistic option. McAfee also confirmed that even patched devices could have faced exposure to payloads researchers have not yet identified.
WhatsApp Sessions Cloned
The primary payload McAfee recovered targets WhatsApp. When a user launches the app on an infected device, NoVoice malware extracts everything needed to clone the session. That includes encryption databases, Signal protocol keys, phone number details, and Google Drive backup credentials. The malware sends all of that data to the attackers’ servers, allowing them to replicate the victim’s WhatsApp account on a different device.
Attackers can then read messages, impersonate the victim, and contact friends and family in real time. The victim sees nothing unusual.
A Modular Framework Built for More
McAfee recovered only the WhatsApp-focused payload, but the architecture of NoVoice malware is modular by design. The framework accepts new payloads delivered remotely. Banking apps, messaging platforms, or any other application on the device could be targeted using the same infrastructure.
Researchers also found strong technical links between NoVoice malware and the Triada Android trojan, one of the most documented mobile malware families in existence. Both use the same system property to mark infected devices. Both maintain persistence by replacing the same core system library. Triada has been active since 2016 and evolved through supply chain attacks, modified app distributions, and pre-installed firmware backdoors. The connection suggests shared tooling, though a definitive link between the two operations has not been confirmed.
Who Is at Risk?
Devices running an Android security patch dated May 1, 2021 or later are not vulnerable to the specific exploits used in this campaign. Any device that downloaded one of the malicious apps, even a fully patched one, may still have faced exposure to additional payloads outside McAfee’s findings. Users who installed any of the affected apps should treat their device and its data as potentially compromised.
All 50-plus apps have been removed from Google Play. The C2 infrastructure behind the campaign was still active at the time McAfee published its findings.
Final Thoughts
The NoVoice malware campaign proves that the Google Play Store is not a guarantee of safety. These apps passed review, reached millions of downloads, and showed no visible sign of malicious behavior. The attack required nothing beyond opening an app.
Android users should keep devices updated, stick to apps from well-established publishers, and consider running mobile security software. For older devices that no longer receive security updates, threats like NoVoice malware carry significant and lasting risk.
