More than 50 apps on Google Play were carrying NoVoice, an Android rootkit downloaded at least 2.3 million times before McAfee caught it. The apps looked completely legitimate. Cleaners, image galleries, games. They required no suspicious permissions and actually did what they advertised. Nothing at install would have flagged them.
Once launched, NoVoice attempted to root the device by chaining together kernel exploits, some targeting vulnerabilities that were patched as far back as 2016. The malware checked in with a command-and-control server, collected hardware details, Android version, installed apps, and root status, then polled every 60 seconds for device-specific exploit packages. McAfee observed 22 distinct exploits in use, including use-after-free kernel bugs and Mali GPU driver flaws. Once root access was obtained, SELinux enforcement was disabled, stripping out Android's core security architecture.
From there, key system libraries were replaced with hooked versions that intercept system calls and redirect execution to attacker-controlled code. Persistence was built in layers. Recovery scripts, a replaced system crash handler, fallback payloads written to the system partition. That last part matters because the system partition is not wiped during a factory reset. The infection survives an aggressive cleanup. A watchdog daemon runs every 60 seconds to verify the rootkit is intact and forces a reboot to reload it if anything is missing.
The post-exploitation phase injected attacker code into every app launched on the device. The primary payload targeted WhatsApp specifically, extracting encryption databases, Signal protocol keys, phone numbers, and Google Drive backup credentials. That combination is enough to fully clone the victim's WhatsApp session on an attacker-controlled device. McAfee was clear that WhatsApp was simply the payload they recovered. The modular design means operators could swap in anything targeting any app with internet access.
Google pulled the apps after McAfee reported them through the App Defense Alliance. If you installed any of them, consider the device compromised. A factory reset is not enough. NoVoice only targets vulnerabilities patched before May 2021, so devices running a security update newer than that are not exposed to this specific campaign. Older devices that haven't seen a patch in years are a different story.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is NoVoice?
NoVoice is an Android rootkit distributed through Google Play inside legitimate-looking apps. It roots the device, survives factory resets, and steals data from installed apps.
How did it get onto Google Play?
The malicious payload was hidden inside a PNG image file using steganography and disguised within the Facebook SDK package. The apps passed Google's review process and functioned as advertised.
Does a factory reset remove it?
No. NoVoice stores fallback payloads on the system partition, which is not wiped during a factory reset. The device should be considered permanently compromised.
What data did it steal?
The recovered payload targeted WhatsApp, extracting encryption databases, Signal protocol keys, phone numbers, and Google Drive backup credentials. This is sufficient to clone the victim's WhatsApp session on another device.
Am I still at risk?
If your device is running a security patch dated after May 2021, NoVoice cannot exploit it in its current form. Devices that have not received patches in several years remain vulnerable.