- McAfee uncovers NoVoice malware hidden in 50+ Google Play apps with 2.3 million downloads
- Malware exploits old Android kernel and GPU flaws, persists even after factory reset
- Injects code into apps like WhatsApp to hijack sessions; Google has removed apps but infected devices remain compromised
Millions of Android devices were infected with malware spying on their WhatsApp chats and that even a factory reset wouldn’t wipe, experts have warned.
Researchers at McAfee have published an in-depth report on NoVoice, a new Android malware variant found in more than 50 apps hosted on the Google Play store, downloaded more than 2.3 million times combined.
Usually, Google is quite good at preventing criminals from smuggling malware onto the platform, but every now and then, something makes it through.
Article continues below
Cloning WhatsApp sessions
This time around, it was a group of around 50 apps that worked as intended and did not require excessive permissions, such as Accessibility, which are the usual red flags. These apps were built in different categories, including utility apps, image galleries, and games.
Instead of tricking users into sharing broad permissions, the apps tried to leverage almost two dozen different vulnerabilities, including use-after-free kernel bugs and Mali GPU driver flaws, all of which were patched between 2016 and 2021.
That means that the attackers were going for older devices that their owners don’t update or otherwise maintain.
The malware would first collect device information from infected Androids, such as hardware details, kernel version, and Android version. After that, it would receive further instructions, including stage-two exploit strategy.
Two things stand out: the way it establishes persistence, and what it does afterwards. Among other things, the malware installs recovery scripts that replace the system crash handler and store fallback payloads on the system partition. That way, when a user does a factory reset, the malware still persists.
After establishing persistence, it injects malicious code into every app launched on the device. McAfee singled out WhatsApp, saying that the malware pulls sensitive data needed to replicate the victim’s session, thus allowing the attackers to clone the victim’s WhatsApp account on their own device.
Google says it has now removed all of the malicious apps, but until users do the same on their devices, they will remain compromised.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/NxmSYU2NX5vmBNv3WeEtKa-1920-80.jpg
Source link
