Next time you turn off your Android phone, you might want take the battery out just to be certain.

Security vendor AVG has spotted a malicious program that fakes the sequence a user sees when they shut off their phone, giving it freedom to move around on the device and steal data.

When someone presses the power button on a device, a fake dialog box is shown. The malware then mimics the shutdown animation and appears to be off, AVG’s mobile malware research team said in a blog post.

“Although the screen is black, it is still on,” they said. “While the phone is in this state, the malware can make outgoing calls, take pictures and perform many other tasks without notifying the user.”

The malware requires an Android device to be “rooted,” or modified to allow deep access to its software. That may eliminate a lot of Android owners who don’t modify their phones.

But some vendors of Android phones ship their devices with that level of access, potentially making it easier for the malware to get onto a device.

This malware is unlikely to show up in Google’s Play Store, since Google tries to block applications that have malicious functions. But it could be a candidate for one of the many third-party app stores with looser restrictions.