Authors: Jinjian Zhai, Tianfang Guo
Spying Android phone has been a steadily growing malware group since early 2014. For example a sample of Android.Spy malware family (MD5: 14d9f1a92dd984d6040cc41ed06e273e) was firstly reported on 01/26/2014 with only 1 out of 48 AV vendors detecting it as malware  at that time.
The malware disguised itself as a kind of google service and tried to monitor the android phone and intercept incoming calls to record the audio.
It can even forbid ring and vibration in order to record the phone call in a file on the phone.
Then the recorded audio file can be uploaded with other files as soon as the malware client app receives the “FIL” command from the command and control (CNC) server.
The spying malware family never stops evolving. Recently it was reported by AVG Virus Labs that a new malware can spy on users even when the mobile phone is turned off .
The story starts when you press the power button. The sequence of Android events, when the power button is pressed, has been reported in some earlier blog  as well as the AVG blog .
First the PhoneWindowManager.interceptKeyBeforeQueueing() method is called:
Second the code is redirected to the KeyEvent.KEYCODE_POWER case:
Then the interceptPowerKeyDown() method is called:
Finally the phone is closed when handling mPowerLongPress variable:
Following such process, Tencent Labs published an open-sourced proof-of-concept (POC) tool – “hijackAndroidPowerOff”  to demonstrate how the TelephonyManager class is duped to set the victim phone as accessible  when turned off. The scanning result of the provided sample  has been unknown since it was published. Because the platform the tool bases on is considered benign in a lot of scans, it’s highly doubted the tool can be detected as malware.
The tool  was an implementation of the Xposed platform  , which is a dynamic hijack tool targeting Android phones . Relying on the xposed package to hack most of the Android SDK, the hijackAndroidPowerOff tool plays a trick to hook the shutdown() method in the PhoneWindowManager class. Using the de.robv.android.xposed.XC_MethodHook abstract class that xposed package provides, the hacker overrides the afterHookedMethod() in the XC_MethodHook class
In the overriding function, the shutdown() method leads toward the fake “Shut Down” dialog, and starts the myCancelShutdownDialog Runnable, whose name implies it’s the fake version of the authentic myShutdownDialog Runnable:
In the strangely named myCancelShutdownDialog Runnable, the run() method is overridden to run all necessary steps before shutting down the phone; except replacing the “shutdown” system call by goToSleep() method. Then the hackers adds the extra call-monitoring method — listenCall():
The listenCall() method leads to a BroadcastReceiver service which is no more than an ordinary call monitoring function. It should be noted that meanwhile the phone is actually sleeping instead of shutting down, although they both possess a black screen:
As we stated in the beginning of the blog, the call-monitoring code can be easily replaced by many possibilities of malicious injections such as audio recording and CNC client when the Android phone is actually sleeping instead of powered off.
Furthermore, such code is based on the popular tools like xposed, and conceals itself in com.google or obfuscated package names. The signature based AV vendors are not able to detect the real snippet of the malware. In this case, we can only depend on behavior based anti-virus tools to find the needle in the haystack.