NoVoice on Google Play Exploits 22 Flaws to Hit Millions of Android Users
A sophisticated Android rootkit campaign named Operation NoVoice infiltrated over 50 applications on Google Play, exploiting 22 known vulnerabilities to compromise millions of older, unpatched Android devices. The malware also enabled the hijacking of WhatsApp sessions.
Masquerading as legitimate utilities like cleaners, casual games, and gallery tools, these trojanized apps behaved normally initially. This stealth, combined with the bundling of common SDKs, helped them evade detection for over 2.3 million downloads before removal.
The malware leveraged patched Android vulnerabilities dating from 2016 to 2021 to achieve root access on vulnerable devices.
Research by McAfee’s mobile team revealed the extensive Operation NoVoice rootkit campaign, entirely delivered through apps once available on Google Play.
Devices with Android security updates from May 2021 onwards are immune to the specific exploits used, though exposure to other payloads remains possible. The highest risk lies with older, unsupported Android 7 devices or below, as the rootkit can survive factory resets on them.
Stealthy Delivery Through Google Play
The attack begins when a user installs one of the infected apps from Google Play and opens it for the first time.
While appearing functional, the app covertly triggers hidden code linked to the legitimate Facebook SDK initialization path.
These carrier apps requested no unusual permissions and bundled common SDKs like Firebase, Google Analytics, Facebook SDK, and AndroidX, enhancing their legitimacy.

The initial malicious payload is embedded as a polyglot PNG image in the app’s assets. This image appears normal, but contains an encrypted APK appended after the PNG’s IEND marker.
When executed, hidden code extracts and decrypts this payload in memory, loads it as a secondary APK, and cleans up files to minimize forensic evidence.
Upon activation, NoVoice employs a complex, staged chain prioritizing evasion and modularity. A native gatekeeper library checks the app’s environment: it scans for emulators, debuggers, VPNs, proxies, rooting hooks, and enforces geofencing (avoiding regions like Beijing and Shenzhen). Only if all 15 checks pass does the malware contact its C2 server.
If checks succeed, the app extracts another polyglot image, extracting the encrypted payload (enc.apk), which is then decrypted to form h.apk.

The framework polls the C2 server every 60 seconds, downloading additional plugins disguised as images. These files also conceal encrypted payloads after normal image content. The C2 profiles devices deeply, collecting hardware, kernel, installed packages, and security patch dates, then sends tailored root exploits.
After a chosen exploit succeeds, attackers gain a root shell with SELinux disabled and install the core rootkit, CsKaitno.d, into the system partition.
CsKaitno.d replaces critical system libraries (libandroid_runtime.so, libmedia_jni.so) with malicious wrappers. These hooks inject attacker-controlled code into every app process upon launch.
WhatsApp Session Theft
Once system hooks are active, every app runs with injected code. McAfee recovered 22 exploit binaries, including chains exploiting IPv6 use-after-free flaws and Mali GPU driver vulnerabilities to gain kernel access and disable SELinux.
One payload allows silent control over app installations/removals. Another, named PtfLibc, specifically targets WhatsApp. When WhatsApp launches, PtfLibc copies encrypted databases, extracts Signal protocol identity keys, registration IDs, recent signed prekeys, and metadata like phone number, country code, and backup accounts. This data is exfiltrated via layered encryption to mimic legitimate Google traffic, enabling session cloning.
The infrastructure is segmented across multiple domains (device enrollment, plugin delivery, exploit hosting, task distribution), using cloud services like Alibaba Cloud OSS and Amazon S3-accelerated endpoints. This separation allows domain rotation and recovery if C2s fail.
McAfee noted technical similarities between NoVoice and the Android Triada family, including the same device-marking property and libandroid_runtime.so replacement strategy.
McAfee responsibly disclosed the campaign to Google, leading to the removal of the identified apps and bans on the associated developer accounts.
As a member of the App Defense Alliance, McAfee emphasizes the vulnerability of official app stores to advanced rootkits. McAfee Mobile Security now detects this as high-risk Android/NoVoice malware.