A newly identified Android malware family dubbed NoVoice has been found hiding inside more than 50 applications on the Google Play Store, accumulating at least 2.3 million downloads before being detected and removed. The malware operates silently in the background, conducting click fraud, subscriptions to premium services, and covert ad delivery without any visible activity to the device owner.
What Is NoVoice?
NoVoice is a category of Android adware/subscription fraud malware that masquerades as legitimate utility applications — including photo editors, QR code scanners, productivity tools, and entertainment apps. Despite appearing functional and benign, the malicious payload activates shortly after installation.
The name "NoVoice" reflects the malware's defining characteristic: it performs all its operations silently, with no notifications, no visible browser activity, and no user prompts. Victims typically have no idea they have been compromised.
| Attribute | Details |
|---|---|
| Name | NoVoice |
| Platform | Android |
| Distribution | Google Play Store (50+ apps) |
| Infections | 2.3 million+ devices |
| Primary Activity | Subscription fraud, click fraud, invisible ads |
| Discovered | April 2026 |
| Source | BleepingComputer |
How NoVoice Operates
Installation and Initial Delay
NoVoice-infected apps pass basic automated review by delaying the activation of malicious behavior. After installation, the app behaves entirely normally for a period — typically 24 to 72 hours — before the embedded SDK activates its fraud routines.
Silent Background Activity
Once activated, NoVoice performs several fraud operations without triggering any visible UI:
1. Registers the device with remote C2 infrastructure
2. Receives click-fraud targeting instructions
3. Silently clicks on invisible ads served by ad networks
4. Subscribes the user to premium WAP billing services
(via background WebView interactions without user confirmation)
5. Exfiltrates device identifiers, installed app list,
and carrier information to attacker servers
Subscription Fraud Mechanism
The most financially damaging component is the WAP billing subscription fraud. NoVoice uses a hidden WebView to load carrier billing subscription pages and simulate user interaction, silently enrolling victims into recurring premium SMS or data charges. Because these charges appear on the device owner's phone bill — not as in-app purchases — they often go unnoticed for months.
Why Did It Bypass Google Play Review?
Security researchers note several techniques used by NoVoice to evade detection:
- Delayed malicious activation — clean behavior during the review window
- Remote payload delivery — the fraudulent SDK is loaded dynamically from a remote server after installation, meaning the APK submitted to Play does not contain the malicious code directly
- Legitimate-looking permissions — only requests common permissions (internet, notifications) that are not flagged as high-risk
- Code obfuscation — the embedded SDK uses multi-layer obfuscation and string encryption to avoid static analysis detection
Affected App Categories
The 50+ infected apps spanned multiple categories designed to attract broad installs:
- Photo and video editors (highest download volumes)
- QR code and barcode scanners
- File managers and cleaners
- Flashlight and utility apps
- Casual games and entertainment
- Wallpaper and theme apps
Google has removed the identified apps from the Play Store following the researchers' disclosure, and Play Protect has been updated to detect NoVoice variants. However, devices that installed the apps before removal remain infected until users uninstall them.
Impact on Users
Victims of NoVoice may experience:
- Unexpected mobile billing charges — premium service subscriptions added without consent
- Increased data usage — background ad rendering and C2 communication
- Reduced battery life — persistent background processes
- Privacy exposure — device fingerprint, app list, and carrier data exfiltrated
How to Check If You're Affected
Review Installed Apps
Check your device for recently installed apps from the above categories that you don't actively use or that you cannot identify from a known developer:
Settings → Apps → See all apps
Sort by install date or review apps with internet permission
Check Subscription and Billing
Contact your mobile carrier and review your last 2-3 bills for:
- Premium SMS charges
- Data subscription services you did not knowingly sign up for
Use Google Play Protect
Open Google Play Store
Tap your profile icon → Play Protect → Scan device
Enable "Improve harmful app detection" for remote scanning
Recommended Actions
- Uninstall any suspicious apps installed in the past 60 days that you cannot identify
- Review your mobile bill for unauthorized premium service charges and contact your carrier for refunds
- Enable Play Protect and ensure it is scanning regularly
- Avoid sideloading APKs or installing from unofficial app stores
- Check app developer reputation before installing — look for established publishers with a genuine web presence
- Consider a mobile security app (Malwarebytes, Lookout, or similar) for ongoing protection
Google's Response
Google confirmed the removal of all identified NoVoice-infected applications from the Play Store and stated that Google Play Protect has been updated with detection signatures. Users who had the affected apps installed will receive a Play Protect alert advising removal.
This incident adds to a growing list of large-scale malware campaigns that have abused the Google Play Store's developer ecosystem, highlighting the ongoing challenge of reliably detecting dynamically-loaded malicious SDKs through static analysis at review time.
Source: BleepingComputer — April 1, 2026