Operation NoVoice Rootkit Tells No Tales

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/
• Blog Title: Operation NoVoice: Rootkit Tells No Tales
• Suggested Section: 📱 Mobile Pentesting -> Android Applications Pentesting (new pages/sections): 'Polyglot payloads in assets (PNG IEND append)'; 'Android persistence & system-wide injection (zygote/libandroid_runtime.so replacement, framework bytecode patching, watchdog self-heal)'. Optionally cross-link from: Basic Forensic Methodology -> Malware Analysis (anti-analysis/geofence and staged loaders).

🎯 Content Summary

Title/Context
McAfee Mobile Research analyzed an Android rootkit campaign named Operation NoVoice (McAfee Labs blog dated Mar 31, 2026). The malware is delivered via carrier apps that were distributed on Google Play (no sideloading), appear benign (cleaners/games/gallery utilities), and request no unusual permissions. The chain is multi-stage and plugin-based: each stage decrypts/loads the next; most payloads are delivered at runtime from C2. ...

🔧 Technical Details

Polyglot image payload smuggling (PNG IEND append): Store encrypted executable content inside an innocuous image by appending the blob after the PNG IEND marker. At runtime, the loader reads the asset, extracts bytes after IEND (often identifiable by a magic like CAFEBABE), decrypts them into an APK/JAR, loads it in memory, and deletes staging artifacts—evading casual inspection and some static scanners that treat it as “just an image.”

Auto-execution by hijacking a common SDK init path: Execute malicious bootstrap code without additional permissions by patching/hooking an initialization path of a widely used library (e.g., Facebook SDK). This runs on first app open and can log benign-looking SDK errors on failure to blend into normal telemetry.

Native gatekeeper + anti-analysis gating with geofencing: Use a native library to enforce package/signature pinning and to decrypt/run an anti-analysis module that check...

🤖 Agent Actions

I’m mapping the repo first and then reading the Android and malware-adjacent docs to find one precise place for the content. After that I’ll verify the McAfee post details and only add techniques that are not already documented.
I found a promising existing Android page about zygote and libandroid_runtime.so, plus forensic pages for PNG tricks and malware analysis. I’m reading those now to decide which single file can absorb the most value without duplicating content.
The current best fit is the existing libandroid_runtime/zygote page, because it already covers firmware-level Android backdoors and system-wide app injection. I’m verifying the McAfee article itself now and then I’ll grep the repo for overlap on PNG tail payloads, watchdog persistence, and framework bytecode patching before editing.
The repo already mentions IEND trailing bytes generically and foreground-service audio loops generically, but it does not have the combination of PNG tail polyglots, libandroid_runtime.so replacement, framework bytecode patching, and watchdog self-heal in one Android rootkit context. I’m checking a couple more adjacent pages to avoid duplicating a better existing location before I patch the firmware-level Android page.
I’ve confirmed the repo does not already cover the specific Android rootkit chain details I want to add. I’m updating the existing firmware-level-zygote-backdoor-libandroid_runtime.md page with two focused additions: Android PNG tail polyglot staging as a precursor, and post-root persistence via library replacement, framework patching, and watchdog self-heal.
The patch is in. I’m re-reading the updated page now to confirm the additions stay concise, preserve the existing structure, and keep references at the end.
Updated firmware-level-zygote-backdoor-libandroid_runtime.md.

I kept the change in a single existing file because it was already the best fit for Android system-wide injection via zygote and libandroid_runtime.so. The update adds the NoVoice-specific techniques that were missing: PNG IEND tail polyglot staging from app assets, SDK-init auto-exec, post-root wrapper replacement of libandroid_runtime.so/libmedia_jni.so, framework bytecode patch persistence, watchdog self-heal, and concise forensic checks. I also added the McAfee article to the references section.

Verified by re-reading the full page and checking git diff; no new file was needed and the existing content was preserved.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/

Content Categories: Based on the analysis, this content was categorized under "📱 Mobile Pentesting -> Android Applications Pentesting (new pages/sections): 'Polyglot payloads in assets (PNG IEND append)'; 'Android persistence & system-wide injection (zygote/libandroid_runtime.so replacement, framework bytecode patching, watchdog self-heal)'. Optionally cross-link from: Basic Forensic Methodology -> Malware Analysis (anti-analysis/geofence and staged loaders).".

Repository Maintenance:

• MD Files Formatting: 964 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0