John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
This isn’t another adware story. McAfee found a full rootkit sitting in 50+ Google Play apps, downloaded 2.3 million times. They’re calling it “Operation NoVoice,” and the sophistication is genuinely alarming.
The malware hid its payload inside a PNG image using steganography. The malicious component disguised itself as com.facebook.utils, blending in with the legitimate Facebook SDK. To any scanner, it looked normal. It wasn’t.
Once installed, NoVoice carries 22 different kernel exploits targeting devices with security patches from 2016 through 2021. If your phone hasn’t been updated in a while (and millions haven’t), it gets rooted. After that, the rootkit replaces core Android system libraries so it can inject code into every single app on your device. Banking apps, email, messaging. All of it.
The primary target? WhatsApp session hijacking. But the architecture supports stealing basically anything.
The persistence is what makes this truly nasty. On older devices running Android 7 and below, NoVoice survives factory resets by installing to the system partition. A watchdog process checks its own integrity every 60 seconds and reinstalls anything that gets removed. The only real fix on those devices is reflashing clean firmware.
Good news: if your phone’s security patch level is May 2021 or later, the kernel exploits can’t land. The dropper can still install, but it can’t root you. If you’re on an older device that stopped getting updates? This is your sign to upgrade.
Google pulled the apps and banned the developer accounts after McAfee’s report. But 2.3 million downloads already happened.