Android device shutdown hijacking software appears in China

[[127995]]

Antivirus company AVG recently discovered an Android malware called "PowerOffHijack" that works in a unique way: it hijacks the shutdown process. PowerOffHijack makes your phone look like it is turned off, and then snoops on your phone.

In other words, when you press the power off button, your device does not actually shut down. Although you still see the shutdown screen and the screen turns black, your phone or tablet is actually on.

When your Android device is in this state, PowerOffHijack will make phone calls, take photos, and "perform other tasks without the user's knowledge."

Here’s how this Android malware hijacks your computer:

First, it gains root privileges.

Then, after gaining root privileges, the malware injects itself into the system_server process and hijacks the mWindowManagerFuncs object.

Then, when you press the power button, a fake dialog box will appear. If you choose to shut down, it will show a fake shutdown screen with the screen off but the phone on.

Finally, in order to make your phone look like it is really turned off, some system broadcast services are also hijacked.

Here is the code for PowerOffHijack to record the call:

Here is the code that PowerOffHijack uses to send a private message:

While AVG has published numerous reports describing how PowerOffHijack hijacks the shutdown process, there is little information about the software itself. AVG did not explain how they discovered the malware, nor how it got onto Android devices. The fact that the software requires root access means it won't just access your phone while you're browsing the web.

Most Android malware enters Android devices when users install suspicious apps from third-party app stores.

"We found that this malware targets Android systems below 5.0, it requires root privileges, and so far we have found about 10,000 devices infected, mostly in China because it first appeared in China. We see it spreading in the Chinese app market," an AVG spokesperson told reporters.