New Android Trojan fakes device shut down, spies on users

A new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks, has been discovered and analyzed by AVG researchers.

They dubbed it, and AVG’s security solutions detect it as PowerOffHijack.

PowerOffHijack has been discovered in China, where it has already infected over 10,000 devices. It is apparently being propagated via third-party online app stores, but the researchers haven’t mentioned what apps it masquerades as.

The Trojan is capable of infecting Android versions below v5.0 (Lollipop).

How does it work?

“After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on,” the researchers explained.

That’s because the malware, after having previously obtained root access, is capable of injecting the system_server process that hooks the mWindowManagerFuncs object, and ultimately prevents the mWindowManagerFuncs.shutdown function to do its job, which is to first shut down radio service and then invoke the power manager service to turn the power off.

After keeping the power button pressed long enough to initiate the shut down procedure, the victims are presented with a fake pop-up that asks confirmation of the process, and see a fake shut down animation. The malware and the phone will continued working, but the screen will be black.