New malware for Android devices can interfere with the shutdown process of the device, making it appear as if the user turned it off, but in actuality it remains active, researchers said.
The user is not aware in any way of the activity, which can range from initiating calls to using the built-in camera to take pictures.
On the latest version of Android, Lollipop, the functionality of the power button reduced to turning off the device.
On previous builds, which have a significantly larger user base than Lollipop, the button can switch to vibration or silent mode, or suspend signal transmission by enabling airplane mode.
However, the Android version available is irrelevant because the shutdown sequence is the same.
Online security company AVG caught the new mobile malware strain and analyzed its activity of hijacking the poweroff process. Researchers said the malicious code interferes with the “mWindowManagerFuncs.shutdown” function, which is responsible for starting the shutdown procedure.
In order to do that, the malware needs to have root permission on the device so it can alter system applications. If this ends up obtained, it injects itself in the “system_server” process and hooks the “mWindowManagerFuncs” interface object that calls the shutdown function.
With all the hooks in place, the malicious software will show a fake shutdown animation when the poweroff option ends up selected upon long pressing the power management button; the screen goes off and the device appears inactive.
A blog post from AVG advises users to remove the battery of the device to make sure the turn off process does not end up spoofed. However, this is not possible with all phone models. Alternatively, installing a mobile antivirus solution could prevent the malware piece from meddling with the “mWindowManagerFuncs.shutdown” function.