NoVoice Android rootkit hid inside 50+ Google Play apps - 2.3 million downloads, survives factory reset

McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.

Check

Check your Android fleet for devices running security patch levels older than May 2021, and audit for any of the removed apps.

Affected

Android devices with security patch level before 2021-05-01. The rootkit primarily targets older or unpatched devices, though patched devices that installed the apps may have been exposed to other payloads.

Fix

Update Android devices to security patch level 2021-05-01 or later. Devices confirmed infected on Android 7 or older require a full firmware reflash - factory reset will not remove the rootkit. Remove any apps matching the McAfee IOC list. Consider MDM policies that block app installs from unknown or low-reputation publishers.