The malware hijacks the phone’s ordinary shutdown process that is normally run when the phone’s owner chooses “Shut down” in Android’s power options menu. It displays the normal shutdown animation routine before turning off the device’s display so that it appears to be completely powered down as normal.
In reality, the phone is actually still awake and being controlled by the malicious software that infected it. The researchers found it could forward your text messages to third parties, record phone calls or even take photos while supposedly turned off. It could be used to spy on its owner without them ever realising.
Security research and analysis firm AVG found the malware and have called it “Android/PowerOffHijack.A” for now. The company believes that 10,000 devices have been infected so far. The majority of these are based in China where the malicious code was first encountered.
The device can continue to operate in this hijacked, fake-asleep state indefinitely until the battery runs flat and it dies completely. The malware can run on any version of Android older than 5.0 so new Lollipop phones are safe for now. It also requires the phone to be rooted in order to successfully hijack the shutdown sequence.
AVG has updated its mobile protection app with details of the flaw so that it is now capable of detecting the new kind of threat on infected devices. The company warns users to remain vigilant however and to take the battery out of their phone if they want to be really sure of it being powered down.
With our ever-more connected world seeing more malware attacks than ever, it was only going to be a matter of time before even things that seem to be off are actually on and spying on their owner. With the Internet of Things just around the corner, perhaps this kind of new and unusual attack could become more common in the future.