A new type of Android malware is able to hijack your phone’s shutdown process to fake being turned off. Once in this false shutdown this malware is used to steal data and use the phone’s services. The phone must be rooted to be vulnerable to this exploit.
Researchers at AVG found the malware and posted information about it to their blog on February 18, 2015. When an infected phone is being shutdown a fake dialog box appears giving the user what appears to be standard options. When shutdown is selected the malware plays a fake shutdown sequence and appears to be turned off. Once in this state the victim’s phone can be accessed and used to make calls, take pictures and transfer data without the victim’s knowledge.
According to AVG the malware has been spread to at least 10,000 Chinese devices so far through third-party app sites. They have reported that the malware can affect devices with any Android OS prior to version .5 (Lollipop) and the phone must be rooted.
The exploit involves the ShutDownThread.shutdown function and mWindowManagerFuncs.shutdown interface object. The malware tries to gain root permissions and once successful injects a modified system_server process to hijack the stock shutdown function. It then listens for the power key button to be called at which point it launches it’s own fake dialog box.
Jacob R Hooker