lolloj - Fotolia
Why hack Android devices one at a time when you can infect local Wi-Fi access points with an Android Trojan and use DNS hijacking to hack every device connected to that network?
Researchers at Kaspersky Lab reported their encounter with a new type of Android malware, which they call "Trojan.AndroidOS.Switcher" and which is doing almost exactly that: Once it wakes up and determines it's on a targeted wireless network, the malware runs a brute force attack on the local Wi-Fi router password. If successful, the malware resets the default domain name system (DNS) servers to its own servers. From there, almost any kind of attack is possible on other devices or systems connected to that network.
"Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network," wrote Nikita Buchka, mobile malware analyst at Kaspersky, in a blog post. The new Android Trojan gains access to the router by a brute-force password-guessing attack on the router's admin web interface. "If the attack succeeds, the malware changes the addresses of the DNS servers in the router's settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals -- such an attack is also known as DNS hijacking."
Because devices usually reset their default DNS server configuration to reflect the defaults configured in the local Wi-Fi router, this new Android Trojan can force devices connected through the router to point to rogue DNS servers under the control of the attacker. The result, Buchka wrote, is that "after gaining access to a router's DNS settings, one can control almost all the traffic in the network served by this router."
If successfully installed on a router, Buchka wrote, the Switcher malware can expose users to "a wide range of attacks" such as phishing schemes. "The main danger of such tampering with routers' [settings] is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked," he wrote. "Even if the rogue DNS servers are disabled for some time, the secondary DNS, which was set to 18.104.22.168, will be used, so users and/or IT will not be alerted."
By setting the secondary DNS server to Google's DNS service, located at IP address 22.214.171.124, the attackers ensure that even if their own malicious DNS server is unavailable, users won't experience any outage.
Once in place on a user's Android device, Switcher checks for the local wireless network's basic service set identifier -- the MAC address of the local network's access point -- and reports it to the Trojan's command and control network before going to work on brute-forcing, and reconfiguring, the router. The malware also attempts to identify which internet service provider is being used so that it can reconfigure the router to use one of three rogue DNS servers, and then it runs the brute-force attack on the router's web interface for system administration.
The Kaspersky researchers reported two versions of the Android Trojan: One masquerading as a mobile client for the Chinese search engine Baidu, and the other a fake version of another popular Chinese app used to share Wi-Fi access information. Based on its analysis of input field names hardcoded in the malware, as well as the structure of HTML files the Android Trojan attempts to access, Kaspersky judged that Switcher affects only TP-LINK Wi-Fi routers.
The actor responsible for Switcher piggybacked its command and control system on top of a website it set up to promote its fake Wi-Fi access app; according to Kaspersky, the site also includes an infection counter for Switcher. Kaspersky reported that 1,280 Wi-Fi networks had been successfully infiltrated. Kaspersky recommended users check their DNS configurations to see if any of the rogue DNS servers (126.96.36.199, 188.8.131.52 and 184.108.40.206) have been configured. If a network has been infected, the attack can be mitigated by resetting the DNS server configuration and resetting the default router administration password; the attack can also be prevented by changing the default user ID and password for administering vulnerable routers.
Learn about the Gooligan Android Trojan
Read about Hummer, the Android Trojan responsible for as much as $500,000/day in ill-gotten gains
Find out more about Stels, an Android Trojan that steals text messages