Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Android Malware Hijacks Phone’s Shutdown Process

A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.

A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.

According to AVG researchers, the malware hijacks the smartphone’s shutdown process. When users try to turn off the mobile device by pressing the power button, they see the regular shutdown animation and the phone appears to turn off. In reality, the device is still on, allowing cybercrooks to perform various task, such as making calls and taking pictures.

When users press the power button on an Android device, the interceptKeyBeforeQueueing function is invoked. When the button is released, a different function, intereceptPowerKeyUp, is called.

If a long press is detected, the showGlobalActionsDialog function is invoked. This function is responsible for opening the dialog that allows users to select if they want to power off the device, put it in airplane mode, or change its audio profile. When “power off” is selected, mWindowManagerFuncs.shutdown is called.

“mWindowManagerFuncs is an interface object. It will actually call the thread ShutDownThread’s shutdown function. ShutDownThread.shutdown is the real entry point of the shutting down process. It will shut down radio service first and invoke the power manager service to turn the power off,” AVG researchers explained in a blog post.

When it’s installed on a device, the malware first tries to obtain root permissions. Once this is done, the Trojan injects the system_server process and hooks the mWindowManagerFuncs object.

With the object hooked, when users press the power button, they are presented with a fake dialog, and if they select the “power off” option, a fake shutdown animation is displayed. The threat also hooks some system broadcast services in order to make it look like the device is really turned off.

A recent report from Alcatel-Lucent estimates that 16 million mobile devices were infected with malware in 2014. While the number of Android malware samples increased considerably in 2014 compared to the previous year, the company determined that the sophistication of such threats has also increased.

Good examples of sophisticated Android malware are NotCompatible, a threat that’s said to pose a serious threat to enterprises, and Koler, a piece of ransomware seen in the wild since April 2014.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.