Security researchers are warning of a new piece of Android malware which hijacks the phone’s power-off function, allowing hackers to remotely control the device while the user thinks it is turned off.
Antivirus firm AVG claimed in a blog post that the Android/PowerOffHijack.A. malware first applies for root permission and then injects code into the ‘system_server’ process.
This takes control of the ‘mWindowManagerFuncs’ interface object – popping up a fake dialog box asking the user to choose between power off, mute or airplane mode.
If the user selects power off it even runs a fake animation before turning the screen off.
However, crucially, the power is still on and the malware can now run in the background, recording, taking pictures, and calling and texting premium rate numbers, AVG said.
The malware is still pretty limited, having infected only around 10,000 devices, mainly in China. In fact, it’s notable that some of the code shown by AVG contains Chinese characters – giving another clue as to its origin.
It’s apparently been designed to run on Android v5.0 and below.
“Luckily, this malware has been detected by AVG. And next time if you want to make sure your mobile is really off, take the battery out,” the AV vendor said.
Android continues to be the platform of choice for malware writers. Its open ecosystem makes distribution of malicious code much easier than the tightly controlled iOS platform, for which any apps must undergo a rigorous review program before being allowed to go up on the App Store.
Between 2011 and 2014 there was a 300-times increase in the amount of Android malware, with around three million new samples discovered last year, according to Quick Heal’s annual threat report.
Mobile ransomware in particular seems to be growing in popularity, according to Lookout Security.
It claimed that variants like ScareMeNot and ScarePakage finished in the top five most-prevalent mobile threats in the US, UK and Germany for 2014 – contributing to a surge in Android malware of 75% during the year.