The Unkillable Spy: How “Operation NoVoice” Rootkits Hijack Androids and Clone WhatsApp
Ddos 
The NoVoice rootkit payloads | Image: McAfee
A new mobile threat is proving that even the most trusted app stores aren’t immune to high-level engineering. McAfeeβs mobile research team has uncovered a sophisticated Android rootkit campaign, dubbed Operation NoVoice, that bypasses modern security to seize “full control” of infected devices.
The attack begins with apps that, on the surface, appear entirely benign. Previously available on Google Play, these apps masquerade as everyday utilities such as “cleaners, games, or gallery utilities”.
When a user opens these apps, they function exactly as advertised, providing “no obvious signs of malicious activity”. However, in the background, the app quietly profiles the hardware and software of the device to prepare for the next stage of the assault.
Once the device is profiled, the app downloads “root exploits tailored to that device’s specific hardware and software” from a remote server. If successful, the operators gain total authority over the system.
From this position of power, the malware monitors user activity and injects code into every app the user opens. One of the primary targets identified by researchers is WhatsApp.
As the report explains:
“We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure”.
What truly sets Operation NoVoice apart is its resilience. The malware is designed to survive a factory reset, making it nearly impossible for an average user to remove. It achieves this by replacing critical system libraries and hooking core functions so that attacker code runs every time any app is launched.
The engineering behind the campaign is described as a “self-healing pipeline”. The researchers noted:
“What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device… and monitors its own installation”.
While devices with security patches from May 2021 or newer are protected against the specific exploits discovered so far, older or unsupported devices remain highly vulnerable. Furthermore, even patched devices are not entirely safe, as they could still be exposed to “unknown potential payloads” delivered through these apps.
The investigation into Operation NoVoice reveals more than just a piece of malware; it reveals a professional criminal infrastructure. The command-and-control (C2) servers remain active, and the framework is built to accept any number of new tasks at any time.
Users are urged to check their device’s security patch level and remain cautious of simple utility apps that request excessive permissions.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
