If you have downloaded a phone cleaner, a puzzle game or a photo utility from the Google Play Store in recent months, there is a chance your device may have been hacked. Researchers from Cybersecurity company McAfee has claimed that it uncovered a sophisticated Android malware campaign that had been hiding inside more than 50 apps available on Google Play.
Together, those apps – which have now been removed from the Android app store – were downloaded more than 2.3 million times before being removed from the platform, it said.
How the attack worked
Called Operation NoVoice, the campaign involves apps that look and behave completely normally but security experts classify this as a rootkit attack which is one of the most dangerous and difficult-to-detect forms of malware. A rootkit is designed to burrow deep into a device’s operating system, granting attackers administrator-level control while hiding all traces of its presence from the user and the phone’s standard security tools.
When a user downloaded one of the affected apps, it appeared to function exactly as advertised like cleaning junk files, running games and/or managing photos. There were no warning signs. Behind the scenes, however, the app was quietly contacting a remote server controlled by the attackers, sending back details about the device including its hardware, operating system version and security patch level.Based on that information, the attackers sent back custom exploit code tailored specifically to that particular device.
If the exploit succeeded, the malware gained root-level access, which is the maximum level of control possible on an Android device. From there, it modified a core Android system library that every app on the phone relies on. The result: attacker-controlled code could run silently inside any app the user opened.While most malware can be removed by performing a factory reset, Operation NoVoice was designed to survive one.
Fully removing it, McAfee warns, may require reinstalling the device’s firmware.
Who is at risk
According to McAfee, the threat is most severe for users running older or unpatched versions of Android. Newer devices with current security patches are protected from the specific root exploit used here, though McAfee notes they are not entirely in the clear.The broader risk applies to anyone who downloaded one of the affected apps during the period they were available on Google Play.
How to protect yourself
- Check what is on your phone. If there are apps you do not remember installing, review them carefully and remove anything unfamiliar.
- Keep your phone updated.
- Be sceptical of new apps, even on official stores.
