Operation NoVoice: Rootkit Tells No Tales

    Tuesday, April 7, 2026 In: Threat Research Print

    Date: 04/07/2026

    Severity: Medium

    Summary

    Researchers uncovered an Android rootkit campaign called Operation Novoice targeting older vulnerabilities (2016–2021). Devices with security patches from May 2021 onward are protected from known exploits. However, even patched devices may have been exposed to unknown payloads via malicious apps. These apps, disguised as tools or games on Google Play, appeared normal to users. In the background, they profiled devices and deployed tailored root exploits to gain full control. Once compromised, attackers could inject code into apps like WhatsApp and steal sensitive data.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    api.googlserves.com 

    api.uplogconfig.com 

    avatar.ttaeae.com 

    awslog.oss-accelerate.aliyuncs.com 

    check.updateconfig.com 

    config.googleslb.com 

    config.updatesdk.com 

    dnskn.googlesapi.com 

    download.androidlogs.com 

    fcm.androidlogs.com 

    log.logupload.com 

    logserves.s3-accelerate.amazonaws.com 

    prod-log-oss-01.oss-ap-southeast-1.aliyuncs.com 

    sao.ttbebe.com 

    stat.upload-logs.com 

    upload.crash-report.com 

    nzxsxn.98kk89.com 

    98kk89.com  

    Hash :

    03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8 

    066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413 

    0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835 

    07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664 

    0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce 

    106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766 

    183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848 

    1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a 

    1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38 

    1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80 

    224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859 

    2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc 

    30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a 

    3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759 

    4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e 

    4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980 

    4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4 

    54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43 

    594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b 

    721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84

    7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa 

    7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274 

    8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476

    974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825 

    98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb

    98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d

    9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad

    a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c

    a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7

    a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac 

    ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee 

    b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5 

    b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17 

    bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19 

    c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295 

    c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7

    c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91

    cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56

    d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500

    db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833

    ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0 

    df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e

    e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410

    e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b

    e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb

    ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee

    f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1

    f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f

    fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848

    fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "config.googleslb.com" or url like "config.googleslb.com" or siteurl like "config.googleslb.com" or domainname like "config.updatesdk.com" or url like "config.updatesdk.com" or siteurl like "config.updatesdk.com" or domainname like "sao.ttbebe.com" or url like "sao.ttbebe.com" or siteurl like "sao.ttbebe.com" or domainname like "dnskn.googlesapi.com" or url like "dnskn.googlesapi.com" or siteurl like "dnskn.googlesapi.com" or domainname like "log.logupload.com" or url like "log.logupload.com" or siteurl like "log.logupload.com" or domainname like "98kk89.com" or url like "98kk89.com" or siteurl like "98kk89.com" or domainname like "awslog.oss-accelerate.aliyuncs.com" or url like "awslog.oss-accelerate.aliyuncs.com" or siteurl like "awslog.oss-accelerate.aliyuncs.com" or domainname like "download.androidlogs.com" or url like "download.androidlogs.com" or siteurl like "download.androidlogs.com" or domainname like "nzxsxn.98kk89.com" or url like "nzxsxn.98kk89.com" or siteurl like "nzxsxn.98kk89.com" or domainname like "logserves.s3-accelerate.amazonaws.com" or url like "logserves.s3-accelerate.amazonaws.com" or siteurl like "logserves.s3-accelerate.amazonaws.com" or domainname like "check.updateconfig.com" or url like "check.updateconfig.com" or siteurl like "check.updateconfig.com" or domainname like "api.googlserves.com" or url like "api.googlserves.com" or siteurl like "api.googlserves.com" or domainname like "fcm.androidlogs.com" or url like "fcm.androidlogs.com" or siteurl like "fcm.androidlogs.com" or domainname like "prod-log-oss-01.oss-ap-southeast-1.aliyuncs.com" or url like "prod-log-oss-01.oss-ap-southeast-1.aliyuncs.com" or siteurl like "prod-log-oss-01.oss-ap-southeast-1.aliyuncs.com" or domainname like "api.uplogconfig.com" or url like "api.uplogconfig.com" or siteurl like "api.uplogconfig.com" or domainname like "upload.crash-report.com" or url like "upload.crash-report.com" or siteurl like "upload.crash-report.com" or domainname like "stat.upload-logs.com" or url like "stat.upload-logs.com" or siteurl like "stat.upload-logs.com" or domainname like "avatar.ttaeae.com" or url like "avatar.ttaeae.com" or siteurl like "avatar.ttaeae.com"

    Detection Query 2 :

    sha256hash IN ("183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848","03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8","0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835","4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4","98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d","ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0","7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa","cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56","f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1","7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274","4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980","a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac","b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5","ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee","1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38","4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e","c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295","07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664","8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476","e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b","0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce","3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759","a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c","fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2","fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848","ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee","066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413","974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825","bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19","db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833","54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43","c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91","a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7","1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a","1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80","224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859","2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc","30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a","594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b","721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84","98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb","9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad","b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17","c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7","d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500","df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e","e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410","e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb","f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f","106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766")

    Reference: 

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/             


    Tags

    MalwareRootkitExploitWhatsappData StealerAndroid Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.