Android users are always at the target of malicious threat actors. Now, there is a new Android-based Trojan discovered by Kaspersky Lab researchers known as Switcher Trojan because of its ability to firstly infect the device’s Wi-Fi routers and then switch users of that infected network to various infected sites. This means, the Trojan doesn’t directly targets the users but acts as a facilitator of attacks that eventually convert victims into its co-conspirator.
According to the analysis of Kaspersky Lab researchers, there are two versions of this malware that are currently affecting android devices. Both the versions are being utilized to hijack nearly 1,280 wireless networks. The firm’s mobile security expert Nikita Buchka states that most of these infected networks are located in China. One of the two versions pretends to be a mobile client for Baidu, a popular Chinese search engine, while the other appears as a version of an app that locates and shares WiFi login information.
When the victim downloads any of the two versions, it immediately performs the key task of infecting the router through brute-forcing, which is password guessing attack directed on the router’s admin web interface. Research suggests that the malware has a list of over 2 dozen username and password combinations which let it access the web admin interface of the router.
When this is done the Switcher Trojan swaps out the DNS servers’ addresses of the router for a fake server that is being controlled by the attacker(s). The IP addresses used by the malware are 220.127.116.11, 18.104.22.168 and 22.214.171.124. There is an extra DNS too that comes in handy for the attackers when the fake one doesn’t perform or is detected.
Afterward, all the requests from the devices that are made on the infected network are re-routed to the attackers’ servers. This action makes the victims vulnerable to all sorts of attacks including phishing, malware, redirection and adware.
Kaspersky Lab Researchers noted that:
“The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name resolving system, such as internet traffic. The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”
Buchka explained that the developers of this malware didn’t make the sections of its command and control website too perfect but they did leave a publicly viewable table that contained full statistics of internal infection. A review of the website revealed that the attackers have so far infected 1,280 Wi-Fi networks within a few weeks’ time.
Researchers claim that the operating mechanism of Switcher malware shares a remarkable resemblance with DNSChanger malware that is now being used as an exploit kit. Another security firm Proofpoint recently observed that there was a campaign that was targeting wireless routers and modifying DNS entries for stealing traffic. But in that campaign, the vulnerable routers were those made by D-Link, Pirelli, Comtrend and Netgear. On the other hand, Buchka’s analysis reveals that Switcher Trojan works on TP-LINK Wi-Fi routers’ web interfaces only.
Buchka wrote that the malware “targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection. A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on.”