AVG: Latest Android 5.0 Lollipop Malware 'PowerOffHijack' Can Spy on Users Even If Smartphone Is Turned Off

By Isaiah Narciso
Shutdown Android Devices
A flaw in Android can allow hackers to break in and take control of your smartphone.

Security research firm AVG has warned users of smartphones containing Android software that a new form of malware can track them, even if the devices are turned off.

According to a blog post from AVG, its security team discovered a new type of Android malware that can hijack phones even if they are turned off. The malware was first detected in China and has infected around 10,000 devices there so far.

"The malware hijacks the shutdown process and the device remains functional even though it appears to be off," AVG wrote. "The malware affects versions of Android older than v.5 (Lollipop) and requires root permission to hijack the shutdown process."

AVG explained how the malware worked.

"After pressing the power button, the phone displays an authentic shutdown animation, and the phone appears off," AVG wrote. "Although the screen is black, it is still on."

Although users may think their phones are off in this state, AVG reported that "the malware can make outgoing calls, take pictures and perform many other tasks" without notifying them.

Emil Protralinski of VentureBeat termed the new malware threat as "PowerOffHijack." He reported that the Android malware asks for "root permission" first before infecting the device with the system_server process and hooking with mWindowManagerFuncs object.

"The fact root permission is required, however, suggests this is not a threat you can pick up by simply browsing the web," Protralinski wrote.

AVG then explained in technical detail what mWindowManagerFuncs did to the Android-powered device, noting it was "an interface object."

"It will actually call the thread ShutDownThread's shutdown function," AVG wrote. "It will shut down radio service first and invoke the power manager service to turn the power off."

Protralinski noted that AVG failed to describe the details of the malware itself, despite the explanation of how the shutdown process worked.

"There is no explanation as to how the security firm discovered the threat and how it gets onto an Android device in the first place," Protralinski wrote.

VentureBeat suggested that the source of the malware may have originated from an outside "app store" tailored for Android devices.

"Most Android malware infects devices thanks to users installing shady apps from third-party app stores," Protralinski wrote. "Most threats are not found on Google Play, and most require side-loading (disabled by default on most Android devices)."

Protalinski had a simple suggestion for those concerned about the status of their Android devices potentially being infected with the malware.

"Just pay attention to the apps you install and your Android device should be just fine," Protalinski wrote.

    Most Popular
  • Is 'The Last Supper' worth watching? Audience and critics weigh in

    Is 'The Last Supper' worth watching? Audience and critics weigh in

    Faith-based films often receive mixed reactions, and The Last Supper is no exception. The movie attempts to bring a fresh perspective to one of the most iconic moments in Christian history, but does it succeed? Some reviews from critics and audiences provide insight into its strengths and shortcomings.

  • ‘The Chosen’ Season 5: The darkest season yet—What to know before watching

    The wait is over—The Chosen is back with its fifth season, and this time, things are getting intense. The new episodes dive straight into the final days of Jesus’ life, covering some of the most emotional and dramatic moments in the Bible. If you’ve been following the series, you already know that The Chosen isn’t just about retelling familiar stories—it’s about bringing them to life in a way that feels real.

  • Massacres in Syria: Over 1,000 dead, including Christians and Alawites

    Syria’s coastal regions have been devastated by a series of massacres, with reports indicating that over 1,000 people—many from Christian and Alawite communities—have been killed in brutal attacks. Entire families have been wiped out, and survivors are fleeing in search of safety as sectarian violence escalates.

  • Kim Sae-ron and Wheesung: The tragic irony of Korean society and the principles of happiness

    Not long ago, the media was in an uproar over actress Kim Sae-ron’s passing. Just months before, the same people who had relentlessly criticized her for her DUI incident were now expressing sympathy, saying, "The world was too harsh on her." The irony is impossible to ignore.

  • Newsboys move forward as a quartet after Michael Tait’s departure

    After more than a decade as the lead singer of the Newsboys, Michael Tait has officially parted ways with the band, marking a significant shift in the Christian rock group’s lineup. The remaining members—Jeff Frankenstein, Jody Davis, Duncan Phillips, and Adam Agee—have assured fans that they will continue forward, embracing a new season of music and ministry.

Top Stories