Android NoVoice Rootkit Exploits Legacy Vulnerabilities via 50+ Malicious Apps

NoVoice is a sophisticated Android rootkit that exploits a chain of 22 Android vulnerabilities, all of which were patched between 2016 and 2021, targeting devices that have not received security updates. The malware was distributed through over 50 applications that were available on app stores and had been downloaded millions of times before discovery.

Technical Capabilities: NoVoice gains root access to infected devices and injects malicious code into legitimate user applications. This allows the malware to operate with elevated privileges while hiding within trusted app processes, making detection significantly more difficult.

Affected Platforms: Android devices, particularly those running older Android versions that have not received security patches from 2016-2021. The malware specifically targets devices where these legacy vulnerabilities remain unpatched.

Geographic Distribution: High infection rates observed in Nigeria, Ethiopia, Algeria, India, and Kenya, suggesting targeting of regions with higher rates of older, unpatched Android devices.

Response: Google has removed the identified malicious applications from the Google Play Store. However, devices that already installed the apps may remain infected.

Recommended Mitigations: Update Android devices to the latest available security patch level. Remove any recently installed apps from unknown developers. Run a mobile security scan on potentially affected devices. Organizations should implement mobile device management (MDM) policies requiring minimum security patch levels. Consider replacing devices that cannot receive security updates.