A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.
According to AVG researchers, the malware hijacks the smartphone’s shutdown process. When users try to turn off the mobile device by pressing the power button, they see the regular shutdown animation and the phone appears to turn off. In reality, the device is still on, allowing cybercrooks to perform various task, such as making calls and taking pictures.
When users press the power button on an Android device, the interceptKeyBeforeQueueing function is invoked. When the button is released, a different function, intereceptPowerKeyUp, is called.
If a long press is detected, the showGlobalActionsDialog function is invoked. This function is responsible for opening the dialog that allows users to select if they want to power off the device, put it in airplane mode, or change its audio profile. When “power off” is selected, mWindowManagerFuncs.shutdown is called.
“mWindowManagerFuncs is an interface object. It will actually call the thread ShutDownThread’s shutdown function. ShutDownThread.shutdown is the real entry point of the shutting down process. It will shut down radio service first and invoke the power manager service to turn the power off,” AVG researchers explained in a blog post.
When it’s installed on a device, the malware first tries to obtain root permissions. Once this is done, the Trojan injects the system_server process and hooks the mWindowManagerFuncs object.
With the object hooked, when users press the power button, they are presented with a fake dialog, and if they select the “power off” option, a fake shutdown animation is displayed. The threat also hooks some system broadcast services in order to make it look like the device is really turned off.
A recent report from Alcatel-Lucent estimates that 16 million mobile devices were infected with malware in 2014. While the number of Android malware samples increased considerably in 2014 compared to the previous year, the company determined that the sophistication of such threats has also increased.
Good examples of sophisticated Android malware are NotCompatible, a threat that’s said to pose a serious threat to enterprises, and Koler, a piece of ransomware seen in the wild since April 2014.