This morning I awoke to a veritable armageddon of news regarding a new piece of Android malware hell-bent on stealing all of your secrets, your identity, recording all of your actions, taking video, and probably even stealing your unborn children. That malware has been labeled PowerOffHijack (or Shutdown Hijack in some circles). It was discovered by AVG and, in theory, could be very nasty. That theory, however, would be hard to apply in most situations.
Here's the gist of the malware. Once it's on your device, it hijacks the shutdown process and makes you think you've turned your phone off (going so far as to play a shutdown animation to convince you all is well). Once powered off, the malware can place phone calls, send outgoing messages, take pictures, and more.
The important bits of information that are crucial to the relevance of this malware are as follows:
- The malware has only been found on app stores outside of the Google Play Store
- The malware can only affect Android versions under 5
- The malware must be able to obtain root access in order to function
AVG has made the claim that the only way to be sure your phone is properly shut down is to remove the battery. This, of course, doesn't apply to a number of Android devices (such as the Motorola Moto X, HTC M8, etc.) where batteries simply cannot be removed. On the AVG Blog, they do a very nice job of detailing how the malware works, using specific code fragments to illustrate the process. And they do make mention that the malware originated in China, where over 10,000 devices have been reported infected. There was no mention of the sites the malware was downloaded from, nor the app(s) within which the malware was found.
The logic behind this malware is quite flawed from its very premise. Considering that very few people actually turn their mobile devices off turns this type of threat into an almost non-issue. Yes, there are some that do turn their devices completely off on occasion — but do those people meet the other criteria for the malware design, including:
- Do they download apps from third-party sites?
- Is their device rooted?
My guess is "no" on both accounts. So, even if you shut your phone off, the chance of this malware compromising your security is slim.
However, on the off chance that you do fit all those criteria and are concerned that PowerOffHijack might be on your device, here's what you need to do:
- Install a malware application (my favorite is Malwarebytes), and make sure you use it
- Remove any and all applications you've installed from a third-party site (especially ones originating in China)
- After uninstalling all suspicious third-party apps, re-run the Malwarebytes scan
I've said this before, and I'll say it again — you can't rely on Google (or any platform developer) for 100% of your security. If you use a mobile device unwisely, bad things can happen. We live in a day and age where nothing is perfectly safe. New ways of hacking data will continue to be crafted, and platform developers like Google, Apple, and Microsoft need to stay on their toes — as do consumers. At the same time, companies that report finds — like the PowerOffHijack threat — need to report those findings responsibly (i.e. "If you've not visited a third-party Chinese Android app store, it's unlikely your device is affected by PowerOffHijack").
The average consumer/user tends to be lazy about mobile technology. Passwords are poor (or not used), antimalware is non-existent, devices aren't registered with the likes of the Android Device Manager ... this list goes on and on. When using a platform like Android, you must understand you are not nearly as constrained as you would be with IOS. Because of that, you must also take a few more precautions and use the device with a nod toward safety.
With power comes responsibility.
The fact that PowerOffHijack is being reported in regions that most likely aren't affected shouldn't give you pause to brush the claim aside. Why? Because it should, at least, warn you of the potential threats that can claim anyone. Unlike working on a desktop or laptop, a mobile security breach holds a bit more of an ominous threat. Under the right circumstances, the wrong information could be had and the victim find themselves with a nasty mess to clean up. Don't be that victim! Use a bit of care and Android will serve you will for years to come.
Are you concerned about mobile security? If so, what is your go-to security app for Android?
- Despite Android's data encryption, mobile security is in users' hands
- How to find suspicious in-app ads on Android
- What to look for in Android permissions
- Will the meteoric rise of Android popularity result in an insecure platform?
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.