AVG researchers have discovered a new Android Trojan that tricks users into believing they have shut their device down while it continues working, and is able to silently make calls, send messages, take photos and perform many other tasks.
They dubbed it, and AVG's security solutions detect it as PowerOffHijack. PowerOffHijack has been discovered in China, where it has already infected over 10,000 devices. It is apparently being propagated via third-party online app stores, but the researchers haven't mentioned what apps it masquerades as.
The Trojan is capable of infecting Android versions below v5.0 (Lollipop). How does it work? "After pressing the power button, you will see the real shutdown animation, and the phone appears off. Although the screen is black, it is still on," the researchers explained. That's because the malware, after having previously obtained root access, is capable of injecting the system server process that hooks the mWindowManagerFuncs object, and ultimately prevents the mWindowManagerFuncs.shutdown function to do its job, which is to first shut down radio service and then invoke the power manager security service to turn the power off.
After keeping the power button pressed long enough to initiate the shut down procedure, the victims are presented with a fake pop-up that asks confirmation of the process, and see a fake shut down animation. The malware and the phone will continue working, but the screen will be black.