- McAfee discovers NoVoice malware hidden in more than 50 Google Play applications with 2.3 million downloads
- Malware Exploits Old Android Kernel and GPU Flaws and Persists Even After Factory Reset
- Inject code into applications like WhatsApp to hijack sessions; Google removed apps but infected devices remain compromised
Millions of Android devices were infected with malware that spied on their WhatsApp chats and that not even a factory reset would remove, experts have warned.
McAfee researchers have released a detailed report on NoVoice, a new variant of Android malware found in more than 50 apps hosted on the Google Play store and downloaded more than 2.3 million times combined.
Google is usually pretty good at preventing criminals from smuggling malware onto the platform, but every once in a while, something manages to break through.
Article continues below.
Clone WhatsApp sessions
This time, it was a group of around 50 apps that worked as expected and did not require excessive permissions, such as Accessibility, which are the usual red flags. These apps were created in different categories including utility apps, image galleries, and games.
Instead of tricking users into sharing broad permissions, the apps attempted to exploit nearly two dozen different vulnerabilities, including use-after-free kernel bugs and Mali GPU driver flaws, all of which were patched between 2016 and 2021.
That means attackers were targeting older devices that are not updated or maintained by their owners.
The malware would first collect device information from the infected Androids, such as hardware details, kernel version, and Android version. After that, he would receive further instructions, including the exploitation strategy of stage two.
Two things stand out: how you set persistence and what you do afterward. Among other things, the malware installs recovery scripts that replace the system crash handler and store backup payloads on the system partition. That way, when a user performs a factory reset, the malware still persists.
After establishing persistence, it injects malicious code into every application launched on the device. McAfee singled out WhatsApp and said the malware extracts sensitive data needed to replicate the victim’s session, allowing attackers to clone the victim’s WhatsApp account on their own device.
Google says it has removed all malicious apps, but until users do the same on their devices, they will remain compromised.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
