Operation NoVoice: Android Rootkit Hidden in 50+ Google Play Apps Hijacked 2.3 Million Devices and Survived Factory Reset
McAfee’s mobile research team has disclosed a large-scale Android rootkit campaign dubbed Operation NoVoice that used more than 50 malicious apps on Google Play to infect at least 2.3 million devices, gain root access on vulnerable phones, and inject attacker-controlled code into every app the victim launches. McAfee says the campaign relied on Android vulnerabilities patched between 2016 and 2021, meaning devices with a security patch level of 2021-05-01 or newer were not susceptible to the exploit set the researchers recovered from the command-and-control infrastructure.
The operation stands out because it did not rely on sideloading, piracy stores, or suspicious permissions. McAfee says the carrier apps were distributed through Google Play, looked and behaved like ordinary cleaners, gallery tools, and games, and requested no unusual privileges. Once opened, however, hidden code contacted attacker infrastructure, profiled the device, downloaded root exploits tailored to the device’s hardware and software, and if successful, took full control of the phone. From that point onward, every app the user opened ran with attacker-injected code.
Technically, NoVoice is a multi-stage, plugin-based framework. McAfee says the first-stage payload is hidden in the carrier app’s assets as a polyglot image, where a normal PNG is followed by encrypted malicious content after the IEND marker. When the app launches, code injected into a legitimate-looking Facebook SDK initialization path extracts the encrypted payload, decrypts it, loads it in memory, and deletes intermediate artifacts. The next stage loads a native library that performs environment validation, including emulator detection, debugger checks, VPN and proxy detection, Xposed checks, and even geofencing logic that excludes devices inside Beijing and Shenzhen. Only after those checks pass does the malware move into full device profiling and C2 contact.
McAfee says the plugin framework then checks in with the server every 60 seconds, sending detailed device information and retrieving additional modules disguised as image downloads. The first recovered orchestrator plugin, which the researchers say internally referenced the “kuwo” codebase, also contained the silent audio resource R.raw.novioce that gave the operation its name. The audio is played at zero volume to keep a foreground service alive by abusing Android’s media playback exemption.
The root stage is where the malware becomes unusually dangerous. McAfee says the framework downloads one or more exploit binaries selected by the C2 based on chipset, kernel version, and security patch level. The researchers recovered 22 exploit binaries in total. In one deeply analyzed chain, the malware combined an IPv6 use-after-free for kernel read, a Mali GPU driver flaw for kernel read/write, and then credential patching plus SELinux disablement to obtain a rooted shell. Before any exploit runs, the installer component CsKaitno.d is already written to disk, meaning persistence is ready to be activated the moment root is achieved.
Once rooted, NoVoice replaces libandroid_runtime.so and libmedia_jni.so with wrapper libraries that intercept system functions and redirect execution into attacker code. McAfee says it also patches precompiled framework bytecode on disk as a second persistence layer. The result is a true rootkit-style position inside the operating system: on the next boot, the Android process launcher loads the replaced libraries, and every app it starts inherits the attacker’s hooks. McAfee says this persistence can survive a factory reset on older unsupported devices, and that full recovery requires reflashing clean firmware.
The watchdog and reinfection logic are equally mature. McAfee says the malware installs a watchdog daemon that checks the rootkit every 60 seconds, reinstalls missing components, and can even force a reboot if repeated restoration attempts fail. It also replaces crash-handling and recovery-related components so the rootkit can relaunch after restarts. In practice, this turns the infection from a simple mobile trojan into a self-healing framework with system-level durability.
The post-exploitation layer is highly flexible. McAfee recovered two in-memory payload families named BufferA and BufferB. BufferA activates inside the package installer and can silently install or remove apps. BufferB activates inside any app with internet access and maintains two independent command channels with separate keys and beacon intervals. McAfee says BufferB can also fall back to api.googlserves[.]com for fresh domain lists if the primary C2 domains stay unreachable for more than three days. Because BufferB can run inside many apps on the same device, the same infected phone can host multiple simultaneous attacker execution contexts.
The only task payload McAfee recovered targeted WhatsApp. The module, identified as PtfLibc, copies WhatsApp’s encrypted databases, extracts Signal protocol identity keys, registration metadata, recent signed prekeys, and local storage values including phone number, push name, country code, and the Google Drive backup account. McAfee says the stolen data is then encrypted and sent to attacker infrastructure, after which temporary local copies are removed. With that material, the researchers say an attacker could clone the victim’s WhatsApp session onto another device.
The campaign infrastructure is also segmented by function. McAfee says fcm.androidlogs[.]com handled initial device enrollment, stat.upload-logs[.]com acted as the primary plugin delivery and exploit distribution C2, config.updatesdk[.]com served as fallback, exploit binaries were hosted on download.androidlogs[.]com and an S3-accelerated endpoint, and task payloads were delivered from Alibaba Cloud OSS. That domain separation means that taking down one part of the operation does not necessarily collapse the full framework.
McAfee also links NoVoice to the broader Triada ecosystem. The researchers say NoVoice sets the system property os.config.ppgl.status, which has been used as an indicator in earlier Android.Triada variants, and that both families rely on replacing libandroid_runtime.so to ensure every app executes attacker code at launch. McAfee stops short of claiming definitive lineage, but says the overlap suggests either direct evolution, a shared codebase, or access to the same tooling.
McAfee reported the apps to Google, and Google removed the identified apps from Google Play and banned the associated developer accounts. That reduces future exposure, but it does not clean already infected devices. McAfee’s guidance is explicit: because the rootkit writes to the system partition, a factory reset is not sufficient. Devices believed to be infected need a full firmware reflash, and blocking the listed C2 domains can disrupt several stages of the chain.
Indicators of Compromise (IoCs)
- Command-and-control domains:
api.googlserves[.]com,api.uplogconfig[.]com,avatar.ttaeae[.]com,awslog.oss-accelerate.aliyuncs[.]com,check.updateconfig[.]com,config.googleslb[.]com,config.updatesdk[.]com,dnskn.googlesapi[.]com,download.androidlogs[.]com,fcm.androidlogs[.]com,log.logupload[.]com,logserves.s3-accelerate.amazonaws[.]com,prod-log-oss-01.oss-ap-southeast-1.aliyuncs[.]com,sao.ttbebe[.]com,stat.upload-logs[.]com,upload.crash-report[.]com,nzxsxn.98kk89[.]com,98kk89[.]com. - Notable persistence marker: system property
os.config.ppgl.status. - Key system files targeted or replaced:
libandroid_runtime.so,libmedia_jni.so. - Notable payload names:
CsKaitno.d,watch_dog,PtfLibc,sec.jar,hex.jar,security.jar. - Representative malicious carrier apps from the supplied IoC list:
com.swiftc.tcleans,com.wififinder.wificonnect,com.filnishww.fluttbuber.storagecleaner,com.crazycodes.photomotion,com.wuniversal.lassistant,com.systmapp.mobile1.cleanmanager,com.jekunotesimple.notesimple,com.game.ludoplay. McAfee’s full list contains more than 50 samples.
Reference Links and Sources
