Over 2 Million Phones Hit by Hidden Android Malware

A large-scale Android malware campaign known as NoVoice has been uncovered, after spreading through more than 50 apps on the Google Play Store.

Disguised as everyday tools like cleaners, games, and photo apps, these downloads reached over 2.3 million installs before being removed.

The apps appeared legitimate and worked as expected, making them difficult to detect. They didn’t request unusual permissions, so most users had no reason to suspect anything was wrong after installing and using them.

Fig 1. One of the Google Play apps infected with the malware. (Source: McAfee)

How the malware takes control

Once opened, an infected app quietly gathers information about the device, including its Android version and security patch level. It then contacts a remote server to receive tailored instructions designed to exploit known weaknesses on that specific device.

The malware primarily targets older Android vulnerabilities, some dating back to 2016–2021. If successful, it gains “root” access, which is the highest level of control possible. This allows attackers to bypass built-in protections and take over core parts of the system.

After gaining control, the malware can interfere with how apps run on the device. It effectively inserts its own code into apps as they are opened, meaning sensitive data from messaging, social media, or financial apps could be exposed without any visible warning.

Persistent and hard to remove

One of the most concerning aspects of NoVoice is its ability to remain on a device even after a factory reset. By modifying deeper system components that resets don’t normally touch, the malware can continue operating in the background.

It also includes self-repair features. If parts of the malware are removed or disrupted, it can reinstall itself automatically. In some cases, fully removing the infection may require reinstalling the phone’s operating system, something most users won’t be able to do.

Researchers also observed that the malware specifically targeted messaging apps like WhatsApp, extracting key data that could allow attackers to copy a user’s account onto another device.

Who is at risk

The biggest risk is to users with older or unpatched Android devices. Phones that haven’t received security updates since May 2021 are particularly vulnerable, as the malware relies on flaws that have already been fixed in newer versions.

Modern devices with up-to-date security patches are largely protected from the most dangerous parts of this attack. However, even newer phones could still be exposed to some malicious activity if the apps were installed.

What you should do now

Google has removed the infected apps from the Play Store, but anyone who installed them may still be at risk. If you recognize suspicious apps on your device, remove them immediately and monitor for unusual behaviour.

Keeping your device updated is the most effective defense. Regular security updates close the vulnerabilities this type of malware depends on. If your phone no longer receives updates, it may be time to consider replacing it.

Finally, take extra care when downloading apps. Check reviews, developer details, and download numbers before installing. Even trusted platforms can occasionally host harmful apps, so a quick check can make a big difference.