{"id":227149,"date":"2026-03-31T02:30:23","date_gmt":"2026-03-31T09:30:23","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=227149"},"modified":"2026-03-30T12:21:14","modified_gmt":"2026-03-30T19:21:14","slug":"new-research-operation-novoice-rootkit-malware-android","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/","title":{"rendered":"Operation NoVoice: Rootkit Tells No Tales"},"content":{"rendered":"<p style=\"text-align: center;\"><em><span class=\"TextRun SCXW165166108 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW165166108 BCX0\">Authored By: Ahmad Zubair Zahid<\/span><\/span><span class=\"EOP SCXW165166108 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559739&quot;:240}\">\u00a0<\/span><\/em><\/p>\n<p><span data-contrast=\"auto\">McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 \u2013 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server.\u00a0However\u00a0patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that\u00a0appear to be\u00a0simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared\u00a0to behave\u00a0as advertised, giving no obvious signs of malicious activity.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In the background, however, the app contacts a remote server, profiles the device, and\u00a0downloads root\u00a0exploits tailored to that device\u2019s specific hardware and software. If the exploits\u00a0succeed, the malware gains full control of the device. From that moment onward, every app that the user opens\u00a0are\u00a0injected with attacker\u2011controlled code.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This allows the operators to access any\u00a0app\u00a0data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We\u00a0recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker\u2019s infrastructure.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September\u00a02021, this\u00a0rootkit is highly persistent; a standard factory reset will not remove it, and only\u00a0reflashing\u00a0the device with a clean firmware will fully restore the device.\u00a0\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In total, we\u00a0identified\u00a0more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<p><i><span data-contrast=\"auto\">McAfee\u00a0identified\u00a0the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee\u2019s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee\u00a0Mobile Security detects this malware as a\u00a0High-Risk\u00a0Threat. For more information, and to get fully protected, visit\u00a0<\/span><\/i><a href=\"https:\/\/www.mcafee.com\/en-us\/antivirus\/mobile.html?path=blogs\"><i><span data-contrast=\"none\">McAfee Mobile Security<\/span><\/i><\/a><i><span data-contrast=\"auto\">.\u00a0<\/span><\/i><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2><span data-contrast=\"none\">Background<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\"> And Key Findings<\/span><\/h2>\n<p><span data-contrast=\"auto\">Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like\u00a0<\/span><a href=\"https:\/\/www.kaspersky.com\/blog\/triada-trojan\/11481\/\"><span data-contrast=\"none\">Triada\u00a0<\/span><\/a><span data-contrast=\"auto\">and\u00a0<\/span><a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices\"><span data-contrast=\"none\">Keenadu\u00a0<\/span><\/a><span data-contrast=\"auto\">have shown that replacing system libraries gives attackers persistence to survive factory resets.\u00a0<\/span><a href=\"https:\/\/www.humansecurity.com\/learn\/blog\/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box\/\"><span data-contrast=\"none\">BADBOX\u00a0<\/span><\/a><span data-contrast=\"auto\">has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">NoVoice\u00a0fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation.\u00a0McAfee\u2019s investigation revealed the following key findings:<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"none\">All carrier apps were distributed through Google Play. No sideloading\u00a0required, no user interaction beyond opening the app.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">C2 infrastructure\u00a0remains\u00a0active at the time of publication.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0,&quot;335572071&quot;:0,&quot;335572072&quot;:0,&quot;335572073&quot;:4278190080,&quot;335572075&quot;:0,&quot;335572076&quot;:0,&quot;335572077&quot;:4278190080,&quot;335572079&quot;:0,&quot;335572080&quot;:0,&quot;335572081&quot;:4278190080,&quot;335572083&quot;:0,&quot;335572084&quot;:0,&quot;335572085&quot;:4278190080,&quot;335572087&quot;:0,&quot;335572088&quot;:0,&quot;335572089&quot;:4278190080,&quot;469789798&quot;:&quot;nil&quot;,&quot;469789802&quot;:&quot;nil&quot;,&quot;469789806&quot;:&quot;nil&quot;,&quot;469789810&quot;:&quot;nil&quot;,&quot;469789814&quot;:&quot;nil&quot;}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">The C2 server profiles each device and delivers root exploits matched to its hardware and software version.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0,&quot;335572071&quot;:0,&quot;335572072&quot;:0,&quot;335572073&quot;:4278190080,&quot;335572075&quot;:0,&quot;335572076&quot;:0,&quot;335572077&quot;:4278190080,&quot;335572079&quot;:0,&quot;335572080&quot;:0,&quot;335572081&quot;:4278190080,&quot;335572083&quot;:0,&quot;335572084&quot;:0,&quot;335572085&quot;:4278190080,&quot;335572087&quot;:0,&quot;335572088&quot;:0,&quot;335572089&quot;:4278190080,&quot;469789798&quot;:&quot;nil&quot;,&quot;469789802&quot;:&quot;nil&quot;,&quot;469789806&quot;:&quot;nil&quot;,&quot;469789810&quot;:&quot;nil&quot;,&quot;469789814&quot;:&quot;nil&quot;}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0,&quot;335572071&quot;:0,&quot;335572072&quot;:0,&quot;335572073&quot;:4278190080,&quot;335572075&quot;:0,&quot;335572076&quot;:0,&quot;335572077&quot;:4278190080,&quot;335572079&quot;:0,&quot;335572080&quot;:0,&quot;335572081&quot;:4278190080,&quot;335572083&quot;:0,&quot;335572084&quot;:0,&quot;335572085&quot;:4278190080,&quot;335572087&quot;:0,&quot;335572088&quot;:0,&quot;335572089&quot;:4278190080,&quot;469789798&quot;:&quot;nil&quot;,&quot;469789802&quot;:&quot;nil&quot;,&quot;469789806&quot;:&quot;nil&quot;,&quot;469789810&quot;:&quot;nil&quot;,&quot;469789814&quot;:&quot;nil&quot;}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">The infection survives factory reset and can only be removed by\u00a0reflashing\u00a0the firmware.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0,&quot;335572071&quot;:0,&quot;335572072&quot;:0,&quot;335572073&quot;:4278190080,&quot;335572075&quot;:0,&quot;335572076&quot;:0,&quot;335572077&quot;:4278190080,&quot;335572079&quot;:0,&quot;335572080&quot;:0,&quot;335572081&quot;:4278190080,&quot;335572083&quot;:0,&quot;335572084&quot;:0,&quot;335572085&quot;:4278190080,&quot;335572087&quot;:0,&quot;335572088&quot;:0,&quot;335572089&quot;:4278190080,&quot;469789798&quot;:&quot;nil&quot;,&quot;469789802&quot;:&quot;nil&quot;,&quot;469789806&quot;:&quot;nil&quot;,&quot;469789810&quot;:&quot;nil&quot;,&quot;469789814&quot;:&quot;nil&quot;}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0,&quot;335572071&quot;:0,&quot;335572072&quot;:0,&quot;335572073&quot;:4278190080,&quot;335572075&quot;:0,&quot;335572076&quot;:0,&quot;335572077&quot;:4278190080,&quot;335572079&quot;:0,&quot;335572080&quot;:0,&quot;335572081&quot;:4278190080,&quot;335572083&quot;:0,&quot;335572084&quot;:0,&quot;335572085&quot;:4278190080,&quot;335572087&quot;:0,&quot;335572088&quot;:0,&quot;335572089&quot;:4278190080,&quot;469789798&quot;:&quot;nil&quot;,&quot;469789802&quot;:&quot;nil&quot;,&quot;469789806&quot;:&quot;nil&quot;,&quot;469789810&quot;:&quot;nil&quot;,&quot;469789814&quot;:&quot;nil&quot;}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"none\">The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any\u00a0objective.<\/span><\/li>\n<\/ul>\n<h2><span data-contrast=\"none\">Naming\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW13327102 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW13327102 BCX0\">The name comes from\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW13327102 BCX0\">R.raw.<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW13327102 BCX0\">nov<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW13327102 BCX0\">i<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW13327102 BCX0\">oce<\/span><span class=\"NormalTextRun SCXW13327102 BCX0\">, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android&#8217;s media playback exemption. We believe it is a deliberate misspelling of &#8220;no voice.&#8221;<\/span><\/span><span class=\"EOP Selected SCXW13327102 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Distribution Method<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW20002436 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW20002436 BCX0\">All carrier apps were distributed through Google Play and\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW20002436 BCX0\">request<\/span><span class=\"NormalTextRun SCXW20002436 BCX0\">\u00a0no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered\u00a0<\/span><\/span><span class=\"TextRun SCXW20002436 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SpellingErrorV2Themed SCXW20002436 BCX0\">com.facebook.utils<\/span><\/span><span class=\"TextRun SCXW20002436 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW20002436 BCX0\">, blending in with the real Facebook SDK classes the apps already include.\u00a0<\/span><\/span><span class=\"EOP Selected SCXW20002436 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227150\" aria-describedby=\"caption-attachment-227150\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227150\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM-1024x839.png\" alt=\"An example of one of the apps with hidden malware.\" width=\"1024\" height=\"839\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM-1024x839.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM-300x246.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM-768x630.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM-1536x1259.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM-157x129.png 157w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.13.01\u202fPM.png 1664w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227150\" class=\"wp-caption-text\"><span class=\"TextRun SCXW265144400 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW265144400 BCX0\" data-ccp-parastyle=\"caption\">Figure\u00a0<\/span><\/span><span class=\"FieldRange SCXW265144400 BCX0\"><span class=\"TextRun SCXW265144400 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW265144400 BCX0\" data-ccp-parastyle=\"caption\">1<\/span><\/span><\/span><span class=\"TextRun SCXW265144400 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW265144400 BCX0\" data-ccp-parastyle=\"caption\">:\u00a0<\/span><span class=\"NormalTextRun SCXW265144400 BCX0\" data-ccp-parastyle=\"caption\">One of the c<\/span><span class=\"NormalTextRun SCXW265144400 BCX0\" data-ccp-parastyle=\"caption\">arrier apps on Google Play<\/span><\/span><span class=\"EOP SCXW265144400 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:200,&quot;335559740&quot;:240}\">\u00a0<\/span><\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW254067133 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW254067133 BCX0\">The\u00a0<\/span><span class=\"NormalTextRun SCXW254067133 BCX0\">initial<\/span><span class=\"NormalTextRun SCXW254067133 BCX0\">\u00a0payload is embedded in the app\u2019s asset directory as a polyglot image. This means the file displays and\u00a0<\/span><span class=\"NormalTextRun SCXW254067133 BCX0\">renders<\/span><span class=\"NormalTextRun SCXW254067133 BCX0\">\u00a0a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the\u00a0<\/span><\/span><span class=\"TextRun SCXW254067133 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW254067133 BCX0\">PNG IEND<\/span><\/span><span class=\"TextRun SCXW254067133 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW254067133 BCX0\">\u00a0marker. Since that marker signals to image viewers that the image data ends there, the appended payload\u00a0<\/span><span class=\"NormalTextRun SCXW254067133 BCX0\">remains<\/span><span class=\"NormalTextRun SCXW254067133 BCX0\"> hidden during normal viewing.<\/span><\/span><\/p>\n<h2><span class=\"TextRun SCXW205432124 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW205432124 BCX0\" data-ccp-parastyle=\"heading 2\">Geographical Prevalence<\/span><\/span><span class=\"EOP SCXW205432124 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW143921749 BCX0\" lang=\"EN\" xml:lang=\"EN\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW143921749 BCX0\">The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common.<\/span><\/span><span class=\"EOP Selected SCXW143921749 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227165\" aria-describedby=\"caption-attachment-227165\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227165\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM-1024x470.png\" alt=\"Figure 2: Affected Users Around the World \" width=\"1024\" height=\"470\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM-1024x470.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM-300x138.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM-768x352.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM-1536x705.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM-205x94.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.16.36\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227165\" class=\"wp-caption-text\"><em>Figure 2: Affected users around the world<\/em><\/figcaption><\/figure>\n<h2>Malware Analysis<\/h2>\n<p><span class=\"TextRun SCXW224706518 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW224706518 BCX0\">T<\/span><span class=\"NormalTextRun SCXW224706518 BCX0\">he following breakdown walks through each stage of the chain in\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW224706518 BCX0\">order,<\/span><span class=\"NormalTextRun SCXW224706518 BCX0\">\u00a0from the moment a user opens the app to the moment stolen data leaves the device. No single file\u00a0<\/span><span class=\"NormalTextRun SCXW224706518 BCX0\">contains<\/span><span class=\"NormalTextRun SCXW224706518 BCX0\">\u00a0the full chain. Each stage decrypts and loads the\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW224706518 BCX0\">next,<\/span><span class=\"NormalTextRun SCXW224706518 BCX0\">\u00a0most are delivered from the server at runtime.<\/span><\/span><span class=\"EOP SCXW224706518 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:278}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227180\" aria-describedby=\"caption-attachment-227180\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227180\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-1024x989.png\" alt=\"Figure 3. The NoVoice Rootkit Payloads\" width=\"1024\" height=\"989\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-1024x989.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-300x290.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-768x741.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-1536x1483.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-134x129.png 134w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.18.20\u202fPM.png 1616w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227180\" class=\"wp-caption-text\"><em>Figure 3. The NoVoice rootkit payloads<\/em><\/figcaption><\/figure>\n<h2>Stage 1: The Delivery<\/h2>\n<p><span data-contrast=\"auto\">The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version\u00a0check\u00a0entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: &#8220;FacebookSdk: Failed in\u00a0initStore.&#8221;<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">If the device was already processed, the code cleans up files assumed to be left behind by\u00a0previous\u00a0runs, including paths that do not belong to any standard Android\u00a0component. None of these are visible to the user.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">If the checks pass, the app reads a polyglot image from its own assets&#8217; directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce\u00a0h.apk, and loads it into memory. It then\u00a0deletes\u00a0all intermediate\u00a0files,\u00a0temporary directories.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227195\" aria-describedby=\"caption-attachment-227195\" style=\"width: 150px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt wp-image-227195 size-thumbnail\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.21.07\u202fPM-150x150.png\" alt=\"Figure 4: Normal Looking Image with Malicious Payload \" width=\"150\" height=\"150\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.21.07\u202fPM-150x150.png 150w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.21.07\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.21.07\u202fPM-48x48.png 48w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.21.07\u202fPM-96x96.png 96w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.21.07\u202fPM-300x300.png 300w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/><figcaption id=\"caption-attachment-227195\" class=\"wp-caption-text\">Figure 4: N<i>ormal looking image with malicious payload<\/i><\/figcaption><\/figure>\n<figure id=\"attachment_227210\" aria-describedby=\"caption-attachment-227210\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227210\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.30.33\u202fPM-1024x633.png\" alt=\"Figure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE. \" width=\"1024\" height=\"633\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.30.33\u202fPM-1024x633.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.30.33\u202fPM-300x185.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.30.33\u202fPM-768x475.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.30.33\u202fPM-205x127.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.30.33\u202fPM.png 1310w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227210\" class=\"wp-caption-text\"><em>Figure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Stage 2:\u00a0The Gatekeeper<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">libkwc.so\u00a0contains\u00a0two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect\u00a0analysis\u00a0environments. It runs 15 checks, including emulator detection, root indicators, debuggers,\u00a0VPN\u00a0and proxy connections,\u00a0Xposed\u00a0hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device&#8217;s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot\u00a0determine\u00a0the device&#8217;s position and defaults to letting the chain continue. Two brands get special treatment: on\u00a0Gionee\u00a0devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely.\u00a0Gionee\u00a0devices have a documented history of shipping with pre-installed malware through supply chain compromise.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it\u00a0deletes\u00a0the working directory and stops.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227225\" aria-describedby=\"caption-attachment-227225\" style=\"width: 1024px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-227225 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM-1024x749.png\" alt=\"Figure 6: 15 validation checks before proceeding to the next stage \" width=\"1024\" height=\"749\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM-1024x749.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM-300x219.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM-768x561.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM-1536x1123.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM-176x129.png 176w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.31.56\u202fPM.png 1800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227225\" class=\"wp-caption-text\"><em>Figure 6: 15 validation checks before proceeding to the next stage<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"3\"><strong>Stage 3:\u00a0The Plugin\u00a0<\/strong><\/h2>\n<p><span data-contrast=\"auto\">Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as &#8220;kuwo&#8221; in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the\u00a0initial\u00a0payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named\u00a0warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The first plugin\u00a0delivered (rt)\u00a0acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign&#8217;s name comes from this plugin: it embeds a silent audio resource named\u00a0R.raw.\u00a0novioce.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The\u00a0checkin\u00a0tells the server two things: who this device is and whether it has already been rooted. If it has not,\u00a0rt_plugin\u00a0downloads security.jar, moving the chain into root exploitation.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227240\" aria-describedby=\"caption-attachment-227240\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227240\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM-1024x567.png\" alt=\"Figure 7: MediaPlayer initialized to load the embedded no voice audio \" width=\"1024\" height=\"567\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM-1024x567.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM-300x166.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM-768x426.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM-1536x851.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM-205x114.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.33.46\u202fPM.png 1610w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227240\" class=\"wp-caption-text\"><em>Figure 7: MediaPlayer initialized to load the embedded NoVoice audio<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Stage 4:\u00a0The Exploit<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">security.jar first checks whether the device is already rooted. If it has been, it\u00a0stops. For unrooted devices, it sends the device&#8217;s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The exploits are downloaded one at a time from the\u00a0C2&#8217;s\u00a0CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read\/write, and finally credential patching and\u00a0SELinux\u00a0disablement.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The expected\u00a0end result\u00a0is the same across all exploits: a root shell with\u00a0SELinux\u00a0disabled. From that shell, the exploit loads\u00a0CsKaitno.d. This is where exploitation ends and persistence begins.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227255\" aria-describedby=\"caption-attachment-227255\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227255\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM-1024x378.png\" alt=\"Figure 8: SELinux enforcement disabled as part of the exploit chain. \" width=\"1024\" height=\"378\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM-1024x378.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM-300x111.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM-768x284.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM-1536x567.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM-205x76.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.35.04\u202fPM.png 1646w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227255\" class=\"wp-caption-text\"><em>Figure 8: SELinux enforcement disabled as part of the exploit chain<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Stage 5:\u00a0The\u00a0Rootkit<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">CsKaitno.d\u00a0carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol\u00a0and\u00a0bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The installer backs up the original\u00a0<\/span><i><span data-contrast=\"auto\">libandroid_runtime.so<\/span><\/i><span data-contrast=\"auto\">\u00a0and replaces it with a hook binary matched to the device&#8217;s architecture. It also replaces\u00a0<\/span><i><span data-contrast=\"auto\">libmedia_jni.so<\/span><\/i><span data-contrast=\"auto\">. The replacements are not copies of the original libraries. They are wrappers that intercept the system&#8217;s own functions. When any hooked function runs, it redirects to attacker code.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<div class=\"wp-block-image\">\n<figure id=\"attachment_227270\" aria-describedby=\"caption-attachment-227270\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-image-missing-alt wp-image-227270 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.38.13\u202fPM-1024x296.png\" alt=\"Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable. \" width=\"1024\" height=\"296\" data-warning=\"Missing alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.38.13\u202fPM-1024x296.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.38.13\u202fPM-300x87.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.38.13\u202fPM-768x222.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.38.13\u202fPM-205x59.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.38.13\u202fPM.png 1466w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227270\" class=\"wp-caption-text\"><em>Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable<\/em><\/figcaption><\/figure>\n<\/div>\n<p aria-level=\"3\"><span class=\"NormalTextRun SCXW159080370 BCX0\">After replacing the libraries,\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW159080370 BCX0\">jkpatch<\/span><span class=\"NormalTextRun SCXW159080370 BCX0\">\u00a0modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework&#8217;s own compiled code still\u00a0<\/span><span class=\"NormalTextRun SCXW159080370 BCX0\">contains<\/span><span class=\"NormalTextRun SCXW159080370 BCX0\">\u00a0the injected redirections<\/span><\/p>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Stage 6:\u00a0The Watchdog<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any\u00a0component\u00a0is removed, the rootkit can reinstall itself.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the\u00a0rootkit\u00a0intact.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">After\u00a0cleaning up\u00a0all staging files, the installer marks the\u00a0device as\u00a0compromised. On the next boot, the\u00a0system&#8217;s\u00a0process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker&#8217;s code.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227285\" aria-describedby=\"caption-attachment-227285\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227285\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.39.21\u202fPM-1024x506.png\" alt=\"Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60\u2011second restart interval. \" width=\"1024\" height=\"506\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.39.21\u202fPM-1024x506.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.39.21\u202fPM-300x148.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.39.21\u202fPM-768x379.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.39.21\u202fPM-205x101.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.39.21\u202fPM.png 1312w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227285\" class=\"wp-caption-text\"><em>Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60\u2011second restart interval<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Stage 7:\u00a0The Injection<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them\u00a0BufferA\u00a0and\u00a0BufferB\u00a0in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and\u00a0deleted\u00a0from disk\u00a0immediately\u00a0after loading, leaving no files behind.\u00a0BufferA\u00a0runs inside the system&#8217;s package installer and can silently install or uninstall apps.\u00a0BufferB\u00a0runs inside any app with internet access.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">BufferB\u00a0is the campaign&#8217;s primary post-exploitation tool. It\u00a0operates\u00a0two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to\u00a0api[.]googlserves[.]com for a fresh domain list. Because\u00a0BufferB\u00a0runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227300\" aria-describedby=\"caption-attachment-227300\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227300\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM-1024x752.png\" alt=\"Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps. \" width=\"1024\" height=\"752\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM-1024x752.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM-300x220.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM-768x564.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM-1536x1129.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM-176x129.png 176w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.40.33\u202fPM.png 1712w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227300\" class=\"wp-caption-text\"><em>Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"3\"><span data-contrast=\"none\">Stage 8:\u00a0The Theft<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The only task payload we recovered is\u00a0PtfLibc, delivered to\u00a0BufferB\u00a0from Alibaba Cloud OSS. Its target is WhatsApp.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">PtfLibc\u00a0copies WhatsApp&#8217;s encryption database, extracts the device&#8217;s Signal protocol identity keys and registration ID, and pulls the most recent signed\u00a0prekey. It also reads 12 keys from WhatsApp&#8217;s local storage, including the phone number, push name, country code, and Google Drive backup account. For the\u00a0client\u00a0keypair, it tries multiple decryption methods depending on how the device stores the key.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">It sends the stolen data to\u00a0api[.]googlserves[.]com through multiple layers of encryption and\u00a0deletes\u00a0the temporary database copy when done.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">With these keys and session data, an attacker can clone the victim&#8217;s WhatsApp session onto another device.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_227315\" aria-describedby=\"caption-attachment-227315\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-227315\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM-1024x359.png\" alt=\"Figure 12: Code accessing and copying WhatsApp\u2019s encrypted Signal protocol databases for exfiltration. \" width=\"1024\" height=\"359\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM-1024x359.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM-300x105.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM-768x269.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM-1536x538.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM-205x72.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-11-at-5.41.30\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-227315\" class=\"wp-caption-text\"><em>Figure 12: Code accessing and copying WhatsApp\u2019s encrypted Signal protocol databases for exfiltration<\/em><\/figcaption><\/figure>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Infrastructure<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The campaign spreads its C2 communication across multiple domains, each serving a different function.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><i><span data-contrast=\"auto\">fcm[.]androidlogs[.]com<\/span><\/i><span data-contrast=\"auto\">\u00a0handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device\u00a0checkin, exploit distribution, and result reporting.<\/span><i><span data-contrast=\"auto\">\u00a0config[.]updatesdk[.]com<\/span><\/i><span data-contrast=\"auto\">\u00a0serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Task payloads for\u00a0BufferB\u00a0are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com).\u00a0PtfLibc\u00a0beacons to\u00a0api[.]googlserves[.]com, a domain designed to look like Google service traffic\u00a0at a glance.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update\u00a0BufferB&#8217;s\u00a0domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Recommendations<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW177324554 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW177324554 BCX0\">Because the rootkit\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW177324554 BCX0\">writes to<\/span><span class=\"NormalTextRun SCXW177324554 BCX0\">\u00a0the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages.<\/span><\/span><span class=\"EOP Selected SCXW177324554 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Attribution\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW74382680 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW74382680 BCX0\">Several indicators link\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW74382680 BCX0\">NoVoice<\/span><span class=\"NormalTextRun SCXW74382680 BCX0\">\u00a0to the\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW74382680 BCX0\">Android.Triada<\/span><span class=\"NormalTextRun SCXW74382680 BCX0\">\u00a0family. The property (<\/span><\/span><span class=\"TextRun SCXW74382680 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW74382680 BCX0\">os.config.ppgl.status<\/span><span class=\"NormalTextRun SCXW74382680 BCX0\">)<\/span><\/span><span class=\"TextRun SCXW74382680 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW74382680 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW74382680 BCX0\">NoVoice<\/span><span class=\"NormalTextRun SCXW74382680 BCX0\">\u00a0sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW74382680 BCX0\">NoVoice<\/span><span class=\"NormalTextRun SCXW74382680 BCX0\">\u00a0and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW74382680 BCX0\">NoVoice<\/span><span class=\"NormalTextRun SCXW74382680 BCX0\">\u00a0is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain.<\/span><\/span><span class=\"EOP Selected SCXW74382680 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Conclusion<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">What makes\u00a0NoVoice\u00a0dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store\u00a0install\u00a0to code execution inside every app on the device, survives factory reset, and\u00a0monitors\u00a0its own installation. The operators built a delivery\u00a0system,\u00a0an infrastructure.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure\u00a0remains\u00a0active. We do not know what other\u00a0objectives\u00a0have been deployed before, during, or after our analysis. The WhatsApp session theft we\u00a0observed\u00a0may be the least of it.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The\u00a0rootkit&#8217;s\u00a0persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and\u00a0monitoring\u00a0its own installation with a watchdog, makes remediation difficult.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This research underscores McAfee\u2019s ongoing role in\u00a0identifying\u00a0advanced mobile threats and working with platform partners to protect users before large<\/span><span data-contrast=\"auto\">\u2011<\/span><span data-contrast=\"auto\">scale harm occurs.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">References<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><a href=\"https:\/\/www.kaspersky.com\/blog\/triada-trojan\/11481\/\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">https:\/\/www.kaspersky.com\/blog\/triada-trojan\/11481\/<\/span><\/a><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">https:\/\/www.kaspersky.com\/about\/press-releases\/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices<\/span><\/a><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><a href=\"https:\/\/www.humansecurity.com\/learn\/blog\/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box\/\" target=\"_blank\" rel=\"noopener\"><span data-contrast=\"none\">https:\/\/www.humansecurity.com\/learn\/blog\/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box\/<\/span><\/a><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Indicators of Compromise<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Command and Control Servers<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">api.googlserves[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">api.uplogconfig[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">avatar.ttaeae[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">awslog.oss-accelerate.aliyuncs[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">check.updateconfig[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">config.googleslb[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">config.updatesdk[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">dnskn.googlesapi[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">download.androidlogs[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">fcm.androidlogs[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">log.logupload[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">logserves.s3-accelerate.amazonaws[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">prod-log-oss-01.oss-ap-southeast-1.aliyuncs[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">sao.ttbebe[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">stat.upload-logs[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">upload.crash-report[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">nzxsxn.98kk89[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">98kk89[.]com<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p aria-level=\"3\"><span data-contrast=\"none\">Carrier App Samples<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8,com.filnishww.fluttbuber.storagecleaner,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413,com.wififinder.wificonnect,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835,com.wuniversal.lassistant,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664,com.dynamicpuzzle.cvbfhf,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce,com.wgoddessg.sgallery,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766,com.crazycodes.blendphoto,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848,com.colorbrickelim.inationl,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a,com.crazycodes.photomotion,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38,com.swiftc.tcleans,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80,com.mybatice.googcomlayou.phonecleaner,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859,com.glamorousg.sgoddesslys,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc,com.myapps.gooble.mobile1.maxclean,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a,com.mybatice.smartersleep.junkfiles,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759,com.crazycodes.beautycam,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e,com.khanbro.gamestation,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980,com.wBoothCash_18748294,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4,com.steppay.yrewards,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43,com.scleanm.nmastery,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b,com.qwalkingr.grewards,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84,com.modes2048.gamepro,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa,com.jkesogeop.classicsudo,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274,com.glamorousg.sgoddesslys,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476,com.wtoolboxp.xpro,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825,com.systmapp.mobile1.cleanmanager,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb,com.crazycodes.airvpn,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d,com.wlifetoolp.lpro,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad,com.ulifea.eassistants,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c,com.priceper.km,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7,crazycodes.notes.app,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac,com.gbversion.gbplus.gblatestversion,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee,com.snowfindthesame.samethesnowswe,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5,com.guidely.earningapp,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17,com.shcoob.groobe.timebuke,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19,com.wlifet.etoolbox,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295,com.ebitans.tenstarbd,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7,com.whabitn.tnotes,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91,com.filnishww.fluttbuber.storagecleaner,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56,com.mfunt.ttetris,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500,com.wififinder.wificonnect,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833,com.whomea.eassistan,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0,com.mi2048nig.game,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e,com.sportscash.xyz,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410,com.biopops.mathly,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b,com.wdailyn.anova,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb,com.khan.pregnancyexercise,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee,com.merge2048joy.joy,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1,com.kgoddessv.svibe,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f,com.chall2048enge.game,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848,com.jekunotesimple.notesimple,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2,com.game.ludoplay,<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The malware described&#8230;<\/p>\n","protected":false},"author":695,"featured_media":199934,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10667,1838,442],"tags":[],"coauthors":[4136],"class_list":["post-227149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-news","category-mobile-security","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Operation NoVoice: Rootkit Tells No Tales | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Operation NoVoice: Rootkit Tells No Tales | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-31T09:30:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"19 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Operation NoVoice: Rootkit Tells No Tales\",\"datePublished\":\"2026-03-31T09:30:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/\"},\"wordCount\":3847,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png\",\"articleSection\":[\"Security News\",\"Mobile Security\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/\",\"name\":\"Operation NoVoice: Rootkit Tells No Tales | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png\",\"datePublished\":\"2026-03-31T09:30:23+00:00\",\"description\":\"Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Operation NoVoice: Rootkit Tells No Tales\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Operation NoVoice: Rootkit Tells No Tales | McAfee Blog","description":"Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Operation NoVoice: Rootkit Tells No Tales | McAfee Blog","og_description":"Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2026-03-31T09:30:23+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"19 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Operation NoVoice: Rootkit Tells No Tales","datePublished":"2026-03-31T09:30:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/"},"wordCount":3847,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png","articleSection":["Security News","Mobile Security","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/","name":"Operation NoVoice: Rootkit Tells No Tales | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png","datePublished":"2026-03-31T09:30:23+00:00","description":"Authored By: Ahmad Zubair Zahid\u00a0 McAfee\u2019s mobile research team\u00a0identified\u00a0and investigated an Android rootkit campaign tracked as Operation\u00a0Novoice. The","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/09\/300x200_Blog_031323.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/new-research-operation-novoice-rootkit-malware-android\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Operation NoVoice: Rootkit Tells No Tales"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/227149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=227149"}],"version-history":[{"count":5,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/227149\/revisions"}],"predecessor-version":[{"id":227936,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/227149\/revisions\/227936"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/199934"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=227149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=227149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=227149"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=227149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}