AVG: Latest Android 5.0 Lollipop Malware 'PowerOffHijack' Can Spy on Users Even If Smartphone Is Turned Off

By Isaiah Narciso
Shutdown Android Devices
A flaw in Android can allow hackers to break in and take control of your smartphone.

Security research firm AVG has warned users of smartphones containing Android software that a new form of malware can track them, even if the devices are turned off.

According to a blog post from AVG, its security team discovered a new type of Android malware that can hijack phones even if they are turned off. The malware was first detected in China and has infected around 10,000 devices there so far.

"The malware hijacks the shutdown process and the device remains functional even though it appears to be off," AVG wrote. "The malware affects versions of Android older than v.5 (Lollipop) and requires root permission to hijack the shutdown process."

AVG explained how the malware worked.

"After pressing the power button, the phone displays an authentic shutdown animation, and the phone appears off," AVG wrote. "Although the screen is black, it is still on."

Although users may think their phones are off in this state, AVG reported that "the malware can make outgoing calls, take pictures and perform many other tasks" without notifying them.

Emil Protralinski of VentureBeat termed the new malware threat as "PowerOffHijack." He reported that the Android malware asks for "root permission" first before infecting the device with the system_server process and hooking with mWindowManagerFuncs object.

"The fact root permission is required, however, suggests this is not a threat you can pick up by simply browsing the web," Protralinski wrote.

AVG then explained in technical detail what mWindowManagerFuncs did to the Android-powered device, noting it was "an interface object."

"It will actually call the thread ShutDownThread's shutdown function," AVG wrote. "It will shut down radio service first and invoke the power manager service to turn the power off."

Protralinski noted that AVG failed to describe the details of the malware itself, despite the explanation of how the shutdown process worked.

"There is no explanation as to how the security firm discovered the threat and how it gets onto an Android device in the first place," Protralinski wrote.

VentureBeat suggested that the source of the malware may have originated from an outside "app store" tailored for Android devices.

"Most Android malware infects devices thanks to users installing shady apps from third-party app stores," Protralinski wrote. "Most threats are not found on Google Play, and most require side-loading (disabled by default on most Android devices)."

Protalinski had a simple suggestion for those concerned about the status of their Android devices potentially being infected with the malware.

"Just pay attention to the apps you install and your Android device should be just fine," Protalinski wrote.