Unlike typical Android threats, NoVoice does not rely on visible indicators. It profiles device details, including hardware information, Android version, patch level, installed apps, and root status. The malware then communicates with a command-and-control server every 60 seconds, sharing data and downloading targeted exploits.
McAfee researchers observed 22 different exploits used by the malware to bypass Android’s built-in protections. By leveraging known vulnerabilities, NoVoice establishes root access and embeds itself deeply into the system.
The campaign has mainly targeted users in Africa but has also affected devices in India, the US, and Europe. McAfee noted that older and budget Android devices are more vulnerable, as they often run outdated software without recent security updates.
The attackers have primarily used NoVoice to target WhatsApp. The malware extracts sensitive data to clone user sessions, allowing attackers to impersonate victims and send messages in real time. Due to its modular design, it could also be adapted to target banking apps or other services.
NoVoice is designed to persist even after a factory reset. It achieves this by modifying core system libraries, placing itself in areas that standard system wipes cannot remove.
The malware also uses a watchdog mechanism that checks its integrity every 60 seconds. If any component is removed, it reinstalls itself. If it cannot restore itself, it forces the device to reboot, which triggers reinfection.
Google has removed all 50 malicious apps from the Play Store. However, users who installed them must manually uninstall the apps. Due to the malware’s persistence, this step alone may not fully resolve the infection.
Users are advised to check their device’s security patch level under Settings. Devices running patches older than May 1, 2021, remain vulnerable to the exploits used by NoVoice.
A factory reset is not sufficient to remove the malware. The only reliable method is to reflash the device with official firmware, which replaces system files but also deletes all data. For devices that no longer receive updates, replacing the phone may be the safest option.
Users can also run a manual scan using Google Play Protect to check for threats.
In a statement to Tom’s Guide, a Google spokesperson said Android addressed these vulnerabilities in updates released after May 2021. The company added that Play Protect can remove such apps and block future installations, and advised users to keep their devices updated.
NoVoice reflects a shift in Android malware design, with persistence mechanisms that can survive traditional removal methods. Researchers warn that similar approaches could be used in future attacks.
Users are advised to install updates regularly, download apps from trusted developers, review ratings and feedback, and consider using additional antivirus tools for added protection.