"NoVoice" malware detected on Google Play

The "NoVoice" malware has been detected on Google Play. There are over 2 million Android machines already attached.

Google has always confirmed the security of using the Google Play Store. Google has been monitoring applications that may be malware-latent dangerous apps, but until then they survive, there are still often dangerous apps. Each outbreak has an extraordinary level of risk, such as this news.

According to a report by the website Bleeping Computer, it has detected a new malware epidemic, "NoVoice," a Rootkit-based malware (deep embedded malware) that focuses on attacks on groups of Android users through more than 50 fake applications covering a wide range of applications - Cleaner, video games, photo management apps, etc. - all of which are released for download through the official Android app store, the Google Play Store, and with the reliability of the platform itself, there are victims or fall under. The risk is as much as 2.3 million cases.

The "NoVoice" malware is a strange malware, because when it is attached to the machine, it runs quietly. It does not have a special request for access or permissions like any other malware, but a review from the McAfee research team, an old anti-virus developer, has found that the malware is trying to access the highest level of Root through many old Android security vulnerabilities, many of which are often fixed with updated patches that come out during the year. 2016 - 2021, and when trying to find out exactly what hackers are behind this malware, it does not find that the malware is related to a specific group of hackers, but the malware has similar capabilities to old malware like Triada, making it assumed that it may be a breakthrough.

In the area of malware, the research team found that the malware has components in a package called com.facebook.utils, which makes the malware smooth with the Facebook SDK package. The encrypted Payload file is named enc.apk. The payload is encrypted and the code is hidden in the PNG file with the Steganography technique. After decoding, it will get a payload file called h.apk that will be loaded directly into memory (In-Memory Execution) and delete the intermediary file immediately. To cover up traces of malware from being investigated.

Researchers have also found that malware has been determined not to be grunned on machines running within defined zones, such as those within Beijing and Shenzhen, China, as well as to determine whether the operation on the machine is in use. Emulators, VPNs, Debugger tools, and 15 other joint tools. If all checked through, the malware will run itself immediately. After that, the malware will contact the C2 or Command and Control servers and then collect data. On the system, such as the hardware version, the kernel version, the Android version, the list of all apps installed, and the level of Root permissions to find the best exploit method. The malware contacts the C2 server every 60 seconds to gradually download Component and Exploit elements suitable for the victim's system. The latter has up to 22, covering both the use-after-Free memory vulnerability and the Mali driver vulnerability. GPU etc.

After the malware is able to successfully root the machine, the malware will replace key libraries of the system like libandroid_runtime.so and libmedia_jni.so with Hooked Wrappers that will intervene with the Call command of the system to change the Redirect target to run the attack command. Not only that, this malware has the ability to stabilize multiple systems. Whether it is installing a Recovery Script, changing the Crash Handler to a malware loader, and packing the Payload into a Partition Partition ) of the storage part of the system.

After the malware is fully embedded within the system, the malware launches itself into various applications and releases two Component Deployments.

Component that serves to quietly install and uninstall the application.

Component embedded to perform actions on the application itself

The latter will focus heavily on stealing data on Whatsapp, a popular chat application, to steal usage data (Session) sent to C2 servers. These data will lead to hackers being able to use Whatsapp on their machines with the victim's active Session in order to impersonate the victim in a campaign to deceive those on the victim's contact list.

At present, Google has updated that it has successfully removed all malware contamination applications after being reported by McAfee.

# Trending # Lemon 8 Howtoo # lemon 8 diary # novoice # freedomhack