Key Takeaway
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.
The NoVoice malware family targets Android devices by exploiting publicly known vulnerabilities to escalate privileges and gain root access. Distributed through over 50 malicious applications on the Google Play Store, these apps have collectively surpassed 2.3 million downloads, posing a widespread threat to Android users.
NoVoice leverages vulnerabilities such as CVE-2021-1048 and CVE-2020-0041, which affect Android's system components and allow privilege escalation. By exploiting these flaws, NoVoice bypasses Android's security model to obtain root-level control, enabling extensive system manipulation.
Once installed, NoVoice establishes persistence by embedding itself into system processes and modifies startup scripts to maintain execution after device reboot. The malware implements data exfiltration capabilities, collecting sensitive user information, including contact lists, SMS messages, call logs, and device identifiers. NoVoice communicates with command and control (C2) servers via encrypted channels, receiving instructions for further payload delivery and remote commands.
The malware's delivery mechanism relies heavily on social engineering, posing as legitimate utility or media applications to evade initial detection by users and automated security controls. The affected apps were found in multiple categories, including photo editors and system optimization tools.
Google has removed identified NoVoice-infected applications from the Play Store following coordinated vulnerability disclosures and threat intelligence sharing between Google Threat Analysis Group (TAG) and cybersecurity vendors such as Kaspersky and Trend Micro.
Affected platforms include Android versions 8.0 (Oreo) through 11 (R). Devices running these versions without timely security patches remain vulnerable to the exploit chains used by NoVoice.
Detection signatures for NoVoice include heuristic analysis of root-level process injections, network traffic anomalies targeting known C2 domains, and file system modifications of critical Android directories. Endpoint detection and response (EDR) solutions from vendors like CrowdStrike and SentinelOne have released specific detection modules for NoVoice indicators of compromise (IOCs).
Removal guidance involves performing a full device factory reset after backing up essential data, as standard uninstallation methods do not fully eliminate root-level implants. Updating the device to the latest security patches released by OEMs is critical to prevent reinfection. Security teams should monitor network traffic for unusual encrypted communications originating from mobile devices and scan for the presence of known NoVoice file hashes.
References:
- CVE-2021-1048: Android system privilege escalation vulnerability
- CVE-2020-0041: Android kernel privilege escalation vulnerability
- Google Threat Analysis Group advisories
- Vendor detection signatures from Kaspersky, Trend Micro, CrowdStrike
SOC analysts and mobile security teams must prioritize scanning for NoVoice indicators across enterprise Android devices and enforce patch management policies to mitigate ongoing risks.
Original Source
BleepingComputer
Related Articles
AtlasCross RAT Targets Chinese-Speaking Users via Typosquatted Software Domains
AtlasCross is a newly identified RAT targeting Chinese-speaking users through typosquatted domains impersonating VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce platforms. The malware runs on Windows and macOS, establishes persistence via scheduled tasks and LaunchAgents, and exfiltrates credentials, session cookies, SSH keys, and cryptocurrency wallet data over encrypted C2 channels. SOC teams should monitor for domain-age anomalies, staging behavior in AppData directories, and clipboard access on hosts with crypto software installed.
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.