Operation Novoice Exposed: Advanced Android Rootkit Infects Millions via Google Play, Evades Detection and Survives Factory Reset

CyberDefender 9 mins0

The cybersecurity landscape continues to evolve, and mobile threats are becoming increasingly sophisticated. One such campaign, Operation Novoice, highlights how attackers are leveraging outdated Android vulnerabilities to gain deep, persistent access to user devices.

According to research findings , this campaign exploits vulnerabilities patched between 2016 and 2021. Devices running Android security patches before 2021-05-01 are particularly vulnerable. However, even patched devices may still face risks if malicious apps were installed.

One of the carrier apps on Google Play for the malware

Overview of the Attack Chain

Operation Novoice begins with seemingly harmless applications distributed via Google Play. These apps appear legitimate—offering cleaning tools, games, or gallery utilities—while secretly initiating a complex infection chain in the background.

Key Highlights

  • Over 50 malicious apps identified
  • More than 2.3 million downloads
  • Distributed via Google Play (no sideloading required)
  • No suspicious permissions requested

Once installed, the app silently communicates with a command-and-control (C2) server, profiles the device, and deploys tailored exploits.

Complete attack chain of the attack, Source : Mcafee

Technical Breakdown of the Infection Stages

Stage 1: Payload Delivery

The infection begins immediately after app launch. Malicious code embedded within legitimate SDK initialization routines extracts an encrypted payload hidden inside a polyglot PNG image. This payload is decrypted into executable components and loaded into memory.

Stage 2: Environment Validation (Gatekeeper)

A native library (libkwc.so) ensures the malware runs only in targeted environments. It performs multiple checks:

  • Emulator detection
  • Root detection
  • VPN/proxy detection
  • Debugging tools
  • Geofencing (excludes Beijing & Shenzhen)

If any condition fails, execution stops silently.

Stage 3: Plugin Framework Initialization

Once validated, the malware deploys a modular plugin framework (“kuwo”). It communicates with the C2 server every 60 seconds and downloads additional payloads disguised as image files.

The main orchestrator plugin embeds a silent audio resource (R.raw.novioce) to maintain persistence via foreground services.

Stage 4: Root Exploitation

The malware downloads device-specific exploits from the C2 server. Researchers identified 22 exploit variants, including:

  • IPv6 use-after-free vulnerability
  • Mali GPU driver flaws
  • SELinux bypass techniques

The goal: achieve root access with SELinux disabled.

Stage 5: Rootkit Deployment

Once root access is obtained, the malware installs a rootkit (CsKaitno.d) that:

  • Replaces system libraries (libandroid_runtime.so, libmedia_jni.so)
  • Hooks system functions
  • Injects malicious code into every app

It also modifies compiled Android framework bytecode, ensuring persistence even if libraries are restored.

Stage 6: Persistence via Watchdog

A watchdog daemon (watch_dog) ensures the malware survives:

  • Reinstalls removed components
  • Forces reboot if tampering detected
  • Stores fallback payloads in system partition

This makes the infection resistant to factory reset.

Stage 7: Code Injection

After reboot, all apps inherit malicious code via modified system libraries. Two payloads are deployed:

  • BufferA: Controls app installation/uninstallation
  • BufferB: Main data exfiltration engine

BufferB operates multiple encrypted C2 channels and can function across multiple apps simultaneously.

Stage 8: Data Theft (WhatsApp Targeting)

The only recovered payload, PtfLibc, specifically targets WhatsApp. It extracts:

  • Encryption databases
  • Signal protocol keys
  • Registration ID
  • Phone number and metadata

Data is exfiltrated to:

api[.]googlserves[.]com

This enables attackers to clone WhatsApp sessions on another device.

Infrastructure and IOCs

The campaign uses distributed infrastructure to avoid detection:

  • fcm[.]androidlogs[.]com – device enrollment
  • stat[.]upload-logs[.]com – main C2
  • config[.]updatesdk[.]com – fallback
  • download[.]androidlogs[.]com – exploit delivery
  • logserves[.]s3-accelerate[.]amazonaws[.]com – CDN
  • prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com – payload hosting
  • api[.]googlserves[.]com – data exfiltration

The infrastructure is modular—disabling one domain does not stop the attack.

Geographical Impact

Higher infection rates were observed in:

  • Nigeria
  • Ethiopia
  • Algeria
  • India
  • Kenya

These regions often use older Android devices with limited security updates.

Attribution and Links to Known Malware

Operation Novoice shares similarities with the Android.Triada malware family:

  • Uses property os.config.ppgl.status as an IOC
  • Replaces system libraries for persistence
  • Hooks system processes

This suggests shared tooling or code reuse across campaigns.

Mitigation and Recommendations

  • Avoid installing unknown apps—even from official stores
  • Keep Android devices updated (security patch ≥ 2021-05-01)
  • Use mobile security solutions
  • Monitor network traffic for listed IOCs
  • Reflash firmware for infected devices (factory reset is insufficient)

Our Opinion on Operation Novoice

Operation Novoice represents a significant evolution in Android malware sophistication. What stands out is not just the use of root exploits, but the engineering maturity of the attack chain. The modular architecture, adaptive payload delivery, and deep system integration indicate a well-funded and highly skilled threat actor.

Unlike traditional malware that relies on user negligence or sideloading, this campaign successfully bypasses trust barriers by leveraging official app distribution channels. This is particularly concerning because it undermines the perceived safety of platforms like Google Play.

Another critical concern is persistence. By modifying system libraries and framework bytecode, Novoice achieves a level of control typically associated with advanced persistent threats (APTs). The ability to survive factory resets raises serious challenges for both users and incident responders.

The targeting of WhatsApp also suggests a shift toward identity and communication hijacking, which can lead to financial fraud, espionage, and social engineering at scale.

In our view, this campaign highlights a pressing need for stronger app vetting mechanisms, improved runtime behavior monitoring, and extended support for older Android devices. Without these improvements, similar threats will continue to exploit the long tail of vulnerable devices globally.

CyberDefender