News Stay informed about the latest enterprise technology news and product updates.

'Switcher' Android Trojan targets routers with rogue DNS servers

A new Android Trojan, 'Switcher,' performs brute-force attacks on wireless routers' default passwords to target DNS server configurations and hack connected devices.

Why hack Android devices one at a time when you can infect local Wi-Fi access points with an Android Trojan and...

use DNS hijacking to hack every device connected to that network?

Researchers at Kaspersky Lab reported their encounter with a new type of Android malware, which they call "Trojan.AndroidOS.Switcher" and which is doing almost exactly that: Once it wakes up and determines it's on a targeted wireless network, the malware runs a brute force attack on the local Wi-Fi router password. If successful, the malware resets the default domain name system (DNS) servers to its own servers. From there, almost any kind of attack is possible on other devices or systems connected to that network.

"Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network," wrote Nikita Buchka, mobile malware analyst at Kaspersky, in a blog post. The new Android Trojan gains access to the router by a brute-force password-guessing attack on the router's admin web interface. "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals -- such an attack is also known as DNS hijacking."

Because devices usually reset their default DNS server configuration to reflect the defaults configured in the local Wi-Fi router, this new Android Trojan can force devices connected through the router to point to rogue DNS servers under the control of the attacker. The result, Buchka wrote, is that "after gaining access to a router's DNS settings, one can control almost all the traffic in the network served by this router."

If successfully installed on a router, Buchka wrote, the Switcher malware can expose users to "a wide range of attacks" such as phishing schemes. "The main danger of such tampering with routers' [settings] is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked," he wrote. "Even if the rogue DNS servers are disabled for some time, the secondary DNS, which was set to 8.8.8.8, will be used, so users and/or IT will not be alerted."

By setting the secondary DNS server to Google's DNS service, located at IP address 8.8.8.8, the attackers ensure that even if their own malicious DNS server is unavailable, users won't experience any outage.

Once in place on a user's Android device, Switcher checks for the local wireless network's basic service set identifier -- the MAC address of the local network's access point -- and reports it to the Trojan's command and control network before going to work on brute-forcing, and reconfiguring, the router. The malware also attempts to identify which internet service provider is being used so that it can reconfigure the router to use one of three rogue DNS servers, and then it runs the brute-force attack on the router's web interface for system administration.

The Kaspersky researchers reported two versions of the Android Trojan: One masquerading as a mobile client for the Chinese search engine Baidu, and the other a fake version of another popular Chinese app used to share Wi-Fi access information. Based on its analysis of input field names hardcoded in the malware, as well as the structure of HTML files the Android Trojan attempts to access, Kaspersky judged that Switcher affects only TP-LINK Wi-Fi routers.

The actor responsible for Switcher piggybacked its command and control system on top of a website it set up to promote its fake Wi-Fi access app; according to Kaspersky, the site also includes an infection counter for Switcher. Kaspersky reported that 1,280 Wi-Fi networks had been successfully infiltrated. Kaspersky recommended users check their DNS configurations to see if any of the rogue DNS servers (101.200.147.153, 112.33.13.11 and 120.76.249.59) have been configured. If a network has been infected, the attack can be mitigated by resetting the DNS server configuration and resetting the default router administration password; the attack can also be prevented by changing the default user ID and password for administering vulnerable routers.

Next Steps

Learn about the Gooligan Android Trojan

Read about Hummer, the Android Trojan responsible for as much as $500,000/day in ill-gotten gains

Find out more about Stels, an Android Trojan that steals text messages

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How can router vendors reduce the risk of using default web administration passwords and user IDs?
Cancel
Do not set any default on Router. Once user does post, that time let him/her allow to set new login, unlike Windows OR.

Post installation, force/prompt administrator to change the password. its something like one time use, such as bank login.
Cancel
By changing their firmware, so that the router, after running more than 3 days on its default setting will proceed as follows.
By then collecting the addresses of outgoing e-mails, sending these to the "mother-ship", and having the mother-ship
send e-mail to these that will show "Clear, concise, easy to use instructions, in conspicuous large print" on how to change the id and password on the box.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close