2.3 Million Android Users Hit by 'No Voice' Malware Targeting WhatsApp

A research team from McAfee has recently revealed a large-scale Android malware campaign they have named Operation NoVoice. This malware was detected infiltrating more than 50 apps previously available on the Google Play Store, ranging from mobile cleaning apps and puzzle games to photo gallery utilities.

Although these apps have now been removed, data indicates that the malicious apps had been downloaded over 2.3 million times by users worldwide.

The primary danger of NoVoice lies in its ability to masquerade as normal apps that genuinely function as described. Users would not suspect anything because the apps continue to perform their tasks while conducting covert operations in the background.

Additionally, the malware employs a tactic of playing silent audio tracks continuously. This is done to keep system services running in the background without triggering suspicion from the operating system or the user.

Once installed, the NoVoice malware connects to a central server to transmit detailed information about the victim’s device, including hardware version and security patch level.

Based on this data, attackers send custom exploit code tailored to the device. The main goal of the attack is to obtain high-level access, known as “root” access.

With this access, attackers can modify the core Android system libraries. This allows hackers to spy on data from messaging apps, financial applications, and social media without the phone owner realising it at all.

One of the primary targets of this malware is the WhatsApp app. When a user opens WhatsApp on an infected device, the malware extracts sensitive data needed to replicate the user’s session, including the encryption database, Signal protocol keys, and account identity.

This information is then sent to the attackers’ server, enabling them to clone the victim’s WhatsApp session on the hackers’ own devices.

Even more concerning, NoVoice has robust defence mechanisms. The infection can survive even after a user performs a factory reset. This occurs because the malicious components infiltrate parts of the software that are typically untouched by the standard reset process.

This makes infected devices behave like digital “zombies”, where the malware continues to operate in the background even after the phone has been cleaned. To completely eliminate the infection, users often need to perform a full firmware reinstallation.

Nevertheless, this malware primarily targets devices with outdated operating systems or those that have not received the latest security updates. In response to these findings, a Google spokesperson issued an official statement regarding user protection.

“As an additional layer of defence, Google Play Protect automatically removes these apps and blocks new installations. Users should always install the latest available security updates for their devices.”

Experts recommend that Android users promptly update their systems and exercise greater caution when downloading apps, even from official stores like Google Play. It is highly advisable to check the developer’s name, number of downloads, and user reviews before installing new apps.

Furthermore, using robust mobile security software can help detect suspicious behaviour and block malware before it can take root in the system.

Check the list of apps on your phone immediately and ensure your Android security system is updated to the latest version.