A brand new Android malware named NoVoice was discovered on Google Play, hidden in additional than 50 apps that had been downloaded a minimum of 2.3 million occasions.
The apps carrying the malicious payload included cleaners, picture galleries, and video games. They required no suspicious permissions and supplied the promised performance.
After launching an contaminated app, the malware tried to acquire root entry on the gadget by exploiting outdated Android vulnerabilities that obtained patches between 2016 and 2021.
Researchers at cybersecurity firm McAfee found the NoVoice operation however couldn’t hyperlink it to a selected menace actor. Nevertheless, they highlighted that the malware shared similarities with the Triada Android trojan.
Supply: McAfee
NoVoice an infection chain
In accordance with McAfee researchers, the menace actor hid malicious elements within the com.fb.utils bundle, mixing them with the reputable Fb SDK courses.
An encrypted payload (enc.apk) hidden inside a PNG picture file utilizing steganography is extracted (h.apk) and loaded in system reminiscence whereas wiping all intermediate information to get rid of traces.
McAfee notes that the menace actor avoids infecting gadgets in sure areas, like Beijing and Shenzhen in China, and applied 15 checks for emulators, debuggers, and VPNs. If location permissions should not out there, the malware continues the an infection chain.
Supply: McAfee
The malware then contacts the command-and-control (C2) server and collects gadget data resembling {hardware} particulars, kernel model, Android model (and patch stage), put in apps, and root standing, to find out the exploit technique.
Subsequent, the malware polls the C2 each 60 seconds and downloads varied elements for device-specific exploits designed to root the sufferer system.
The researchers created a map of the an infection chain from the supply stage to the injection section.
supply: McAfee
McAfee says it noticed 22 exploits, together with use-after-free kernel bugs and Mali GPU driver flaws. These exploits give the operators a root shell and permit them to disable SELinux enforcement on the gadget, successfully dropping its basic safety protections.
After rooting the gadget, key system libraries resembling libandroid_runtime.so and libmedia_jni.so are changed with hooked wrappers that intercept system calls and redirect execution to assault code.
The rootkit establishes a number of layers of persistence, together with putting in restoration scripts, changing the system crash handler with a rootkit loader, and storing fallback payloads on the system partition.
As a result of that a part of the gadget’s storage isn’t wiped throughout a manufacturing facility reset, the malware will persist even after an aggressive cleanup.
A watchdog daemon runs each 60 seconds to examine the rootkit’s integrity and mechanically reinstalls lacking elements. If checks fail, it forces the gadget to reboot, inflicting the rootkit to reload.
WhatsApp knowledge theft
Through the post-exploitation section, attacker-controlled code is injected into each app launched on the gadget. Two essential elements are deployed: one that permits silent set up or elimination of apps, and one other that operates inside any app with web entry.
The latter serves as a main knowledge theft mechanism, and McAfee noticed that it primarily focused the WhatsApp messaging app.
When WhatsApp is launched on an contaminated gadget, the malware extracts delicate knowledge required to copy the sufferer’s session, together with encryption databases, the Sign protocol keys, and account identifiers resembling telephone quantity and Google Drive backup particulars.
This data is then exfiltrated to the C2, permitting the attackers to clone the sufferer’s WhatsApp session on their very own gadget.
Supply: McAfee
The researchers famous that though they recovered solely a WhatsApp-focused payload, NoVoice’s modular design makes it technically potential to have used different payloads focusing on any utility on the gadget.
The malicious Android functions carrying NoVoice payloads have been faraway from Google Play after McAfee, a member of the App Protection Alliance, reported them to Google.
Nevertheless, customers who’ve put in them beforehand ought to take into account their gadgets and knowledge compromised.
As NoVoice targets flaws mounted as much as Could 2021, upgrading to a tool working a later safety patch successfully mitigates this menace in its present type.
It’s endorsed that Android customers improve to actively supported fashions and solely set up apps from trusted, well-known publishers, even on Google Play.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, exhibits the place protection ends, and offers practitioners with three diagnostic questions for any instrument analysis.
