Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Malware Hijacks Phone’s Shutdown Process

A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.

A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.

According to AVG researchers, the malware hijacks the smartphone’s shutdown process. When users try to turn off the mobile device by pressing the power button, they see the regular shutdown animation and the phone appears to turn off. In reality, the device is still on, allowing cybercrooks to perform various task, such as making calls and taking pictures.

When users press the power button on an Android device, the interceptKeyBeforeQueueing function is invoked. When the button is released, a different function, intereceptPowerKeyUp, is called.

If a long press is detected, the showGlobalActionsDialog function is invoked. This function is responsible for opening the dialog that allows users to select if they want to power off the device, put it in airplane mode, or change its audio profile. When “power off” is selected, mWindowManagerFuncs.shutdown is called.

“mWindowManagerFuncs is an interface object. It will actually call the thread ShutDownThread’s shutdown function. ShutDownThread.shutdown is the real entry point of the shutting down process. It will shut down radio service first and invoke the power manager service to turn the power off,” AVG researchers explained in a blog post.

When it’s installed on a device, the malware first tries to obtain root permissions. Once this is done, the Trojan injects the system_server process and hooks the mWindowManagerFuncs object.

With the object hooked, when users press the power button, they are presented with a fake dialog, and if they select the “power off” option, a fake shutdown animation is displayed. The threat also hooks some system broadcast services in order to make it look like the device is really turned off.

A recent report from Alcatel-Lucent estimates that 16 million mobile devices were infected with malware in 2014. While the number of Android malware samples increased considerably in 2014 compared to the previous year, the company determined that the sophistication of such threats has also increased.

Advertisement. Scroll to continue reading.

Good examples of sophisticated Android malware are NotCompatible, a threat that’s said to pose a serious threat to enterprises, and Koler, a piece of ransomware seen in the wild since April 2014.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.