Operation NoVoice Malware Infects 2.3M Android Devices

Cybersecurity researchers at McAfee have uncovered a large-scale Android malware campaign dubbed “Operation NoVoice,” which infected millions of devices through seemingly harmless apps on the Google Play Store. The campaign involved over 50 applications, including phone cleaners, casual games, and photo gallery tools, which collectively amassed more than 2.3 million downloads before being removed. Despite appearing legitimate, these apps secretly carried a powerful rootkit capable of gaining deep control over infected smartphones.

According to researchers, the malware activates immediately after the app is opened, without requiring any special permissions or user interaction. It uses a highly stealthy technique by hiding malicious code inside normal image files, allowing it to bypass standard security checks. Once inside the system, the rootkit modifies core Android libraries and installs a persistent watchdog mechanism that ensures it remains active, even if users attempt to remove it. Experts warn that a standard factory reset is not enough to eliminate the infection.

The threat becomes more severe as the malware injects malicious code into every app on the device after a reboot. Investigators identified a targeted attack on WhatsApp, where the malware extracts sensitive data, including encrypted databases, security keys, and user session information. This allows attackers to clone accounts, monitor private conversations, and impersonate victims to carry out further scams.