Unkillable NoVoice Android Rootkit Found In Google Play Infects Millions

A new, particularly malicious Android rootkit has been identified by the team of cybersecurity researchers at McAfee, and as the above image indicates, it has a particularly high rate of infection across the Midwestern United States, African countries and India. This new rootkit, dubbed NoVoice by McAfee, specifically targets older, unpatched Android devices beneath a security patch level of 2021-05-01. Any device that lost official support prior to that date is vulnerable, and since a large swath of Android devices are budget-made with no guarantee of long-term support, users who are particularly poor or underserved are the most vulnerable.

Thankfully, McAfee did notify Google of the malicious apps containing NoVoice and over 50 of the offending apps were removed from Google Play. However, those apps garnered at least 2.3 million downloads before they were taken down, and the takedown by itself can do nothing to remove the rootkit from the infected devices. It's so deep-rooted, in fact, that not even a full factory reset can actually remove the NoVoice rootkit and malware from the device. The only way to actually remove it is to perform a full firmware reflash...which you're not going to be able to do on the majority of infected devices, since they most likely have a locked bootloader preventing firmware flashing.

In its full disclosure post, McAfee notes that the only apparent task that NoVoice was tasked to do on infected devices was clone WhatsApp sessions. However, "the framework is designed to accept any objective" and the underlying system for controlling and distributing the rootkit is still active. There's no guarantee that NoVoice isn't still being distributed, and infected users will have to take drastic measures to get rid of it, if they even become aware of it.

We don't cover rootkits very often here at Hot Hardware, since they're usually far more ambitious (or outright stupid) in nature, compared to more standard threat vectors of malware infection. Typically, malware on Android is a more straightforward case of malicious apps that stop bothering you once you get rid of them and don't go quite as far as this.

Were it not such an egregious breach of privacy targeted at poor and underserved populations, I'd almost be impressed at the depth and scope of the operation behind NoVoice outlined by McAfee. As-is, though, I can only hope that as many infected users as possible can take the steps necessary to unlock their bootloaders and firmware flash the malware away. As a fringe benefit, those users may also open themselves up to the vibrant world of custom Android kernels and custom Android ROMs, which is a great way to breathe new life into an old Android device.