14 DAY TRIAL // A new piece of malware for Android devices has been discovered to interfere with the shutdown process of the device, making it appear as if it is turned off while the mobile is still active, allowing an attacker to run different tasks surreptitiously.
The user is not alerted in any way of the nefarious activity, which can range from initiating calls to using the built-in camera to take pictures.
Malware requires root access
On the latest version of Android, Lollipop, the functionality of the power button has been reduced to that of turning off the device.
On previous builds, which have a significant larger user base than Lollipop, the button can be used to switch to vibration or silent mode, or suspend signal transmission by enabling airplane mode.
However, the Android version available is irrelevant because the shutdown sequence is the same.
AVG caught the new mobile malware strain and analyzed its activity of hijacking the poweroff process. The researchers say that the malicious code interferes with the “mWindowManagerFuncs.shutdown” function, which is responsible for starting the shutdown procedure.
In order to do that, the malware needs to have root permission on the device so that it can alter system applications. If this is obtained, it injects itself in the “system_server” process and hooks the “mWindowManagerFuncs” interface object that calls the shutdown function.
Shutdown sequence needs to be triggered
With all the hooks in place, the malicious software will show a fake shutdown animation when the poweroff option is selected upon long pressing the power management button; the screen goes off and the device appears inactive.
A scenario fit for this type of attack has not been provided by the researchers at AVG. Unless other tricks are involved, it would appear that the user has to voluntarily terminate the activity of the phone, which does not happen as often as the cybercriminals may like, for the malicious app to hijack the shutdown process.
The blog post from AVG advises users to remove the battery of the device to make sure that the turn off process is not spoofed. However, this is not possible with all phone models. Alternatively, installing a mobile antivirus solution could prevent the malware piece from meddling with the “mWindowManagerFuncs.shutdown” function.