How does "Malware to be monitored while the smartphone is turned off" work?

"NSA can eavesdrop on iPhone with power off"WhenEdward SnowdenAs Mr. claimed, it is said that it is possible to remotely control a specific smartphone even when the power is turned off. Malware that a hacker can make a phone call or take a picture even after the user turns off the power is actually actually found in China, but what kind of mechanism is it?AVG Now Official BlogIt explains.

Malware Is Still Spying On You After Your Mobile Is Off
http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

If you press the power button on an Android device infected with this malware, the animation of the shutdown will appear, then the screen will turn black and it will appear as if the power has been turned off. However, in fact, the power supply of the smartphone has not been completely dropped, and remote control from the hacker is possible. The smartphone is operated without noticing the user himself, sending a telephone call and taking a picture.

Before you know the behavior of malware, first explain what happens when you press the power button on your smartphone. When the power button of the Android terminal is pressed, "interceptKeyBeforeQueueing" is called, check whether the power button is pressed on the terminal, and whether shutdown process is being done.


"InterceptPowerKeyUp" which is a trigger of Runnable is called when the finger is released from the power button. There is "LONG_PRESS_POWER_GLOBAL_ACTIONS" in the code below and you can see that action occurs when your finger is released from the power button. "ShowGlobalActionsDialog" written in the action seems to be opened because it is a dialog opened when selecting the power off or airplane mode.


"MWindowManagerFuncs.shutdown" is called when the power off option is selected.


However, what is actually called is the "ShutDownThread.shutdown" function which is the entry point of the shutdown process. ShutDownThread.shutdown first stops the wireless service and calls the power manager service to turn off the power.


You can see that "nativeShut down" is shown in the following image.



So, if a hacker wants to take over a smartphone, it will be OK if it interferes with the "mWindowManagerFuncs.shutdown" process that appears when you turn off the power. The method is as follows.

First, we will adapt malware to root permissions. Malicious infusion of "system_server" process and interruption of "mWindowManagerFuncs" when root permission is required. When the power button is pressed while mWindowManagerFuncs is intercepted, a fake dialog is launched, and a false shutdown animation starts when the power off option is selected as it is. When the finger is released from the power button, the screen turns black and changes to look as if the power was turned off. Finally it would be perfect if you intercept some communication services as a finish to make "smartphone power off".


Recording of calls ......


Private message forwarding etc. are done.