Android Trojan That Fakes Shutdown Traced to Fake Google Service App in 2014

Is this thing on?

Unless you have your Android device in one hand and its batteries in another, you might not be sure if it's turned off. An Android Trojan app called PowerOffHijack, which originated from Chinese app stores, was found tricking users into believing that their devices were turned off though they're actually powered on.

Digging into the issue, Trend Micro researchers found that an app believed to be an earlier version of PowerOffHijack appeared as early as September 2014. The app named AndroidFramework (detected AndroidOS_AndFraspy.HAT) disguised itself as a Google service with the package name com.google.progress.

Fake Shutdown Routines

As mobile device users are aware, pressing the power button can result in two things. Tapping the button will turn off the screen, while holding it down will cause it to prompt with device options that include shutting the phone down.

The AndroidFrameworkmalware was designed to perform its malicious operations in the background after you press the power button and the screen goes black.

On the one hand, the PowerOffHijack version was made to run in the background even after you hold the power button down and chose to turn the device off. It will even display the Android shutdown animation to make you believe that your device is shutting down. At this stage, the malware can still make phone calls, send SMS, take photos, and do other malicious routines without user consent.

Both these malware apps were found in third party app stores outside of Google Play and require a rooted device to run.

The PowerOffHijack reportedly works on devices running on Android operating systems that are older than version 5.0, Lollipop. It is said to have originated from third-party Chinese app stores, which explains why most of the 10,000 affected devices are from China.

How to Get Rid of AndroidFramework and PowerOffHijack 

It was previously suggested that users can only be truly safe from the PowerOffHijack threat if they remove the batteries of their devices. However, this is not practical for many users who do need to use the devices as well as for devices with batteries that can't be easily removed.

For threats such as these, users can download and run a comprehensive mobile security solution like Trend Micro Mobile Security for Android that scans all downloaded apps, blocks malware before they can be installed, and cleans malware already found in your devices.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.