Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Android Malware Hijacks Phone’s Shutdown Process

A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.

A new piece of Android malware can perform a wide range of actions on infected phones without being detected by making it look like the device is turned off.

According to AVG researchers, the malware hijacks the smartphone’s shutdown process. When users try to turn off the mobile device by pressing the power button, they see the regular shutdown animation and the phone appears to turn off. In reality, the device is still on, allowing cybercrooks to perform various task, such as making calls and taking pictures.

When users press the power button on an Android device, the interceptKeyBeforeQueueing function is invoked. When the button is released, a different function, intereceptPowerKeyUp, is called.

If a long press is detected, the showGlobalActionsDialog function is invoked. This function is responsible for opening the dialog that allows users to select if they want to power off the device, put it in airplane mode, or change its audio profile. When “power off” is selected, mWindowManagerFuncs.shutdown is called.

“mWindowManagerFuncs is an interface object. It will actually call the thread ShutDownThread’s shutdown function. ShutDownThread.shutdown is the real entry point of the shutting down process. It will shut down radio service first and invoke the power manager service to turn the power off,” AVG researchers explained in a blog post.

When it’s installed on a device, the malware first tries to obtain root permissions. Once this is done, the Trojan injects the system_server process and hooks the mWindowManagerFuncs object.

With the object hooked, when users press the power button, they are presented with a fake dialog, and if they select the “power off” option, a fake shutdown animation is displayed. The threat also hooks some system broadcast services in order to make it look like the device is really turned off.

A recent report from Alcatel-Lucent estimates that 16 million mobile devices were infected with malware in 2014. While the number of Android malware samples increased considerably in 2014 compared to the previous year, the company determined that the sophistication of such threats has also increased.

Advertisement. Scroll to continue reading.

Good examples of sophisticated Android malware are NotCompatible, a threat that’s said to pose a serious threat to enterprises, and Koler, a piece of ransomware seen in the wild since April 2014.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.