Android Switcher Trojan targets routers changing DNS settings

Security experts from Kaspersky Lab have spotted a new Android Trojan, dubbed Switcher, that targets routers in order to change their DNS settings.

Malware researchers at Kaspersky Lab have spotted a new Android Trojan, dubbed Switcher, that targets routers and changes their DNS settings in order to redirect traffic to malicious websites.

The Switcher Trojan has been disguised as an Android client for the Chinese search engine Baidu, and a Chinese app for sharing Wi-Fi network details. When victims install the malicious app, the Trojan attempts to guess the login credentials of the Wi-Fi router.

” Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface.” states the analysis published by Kaspersky Lab.”If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking)”

The malware includes dozens of login credentials that it uses to perform a brute-force attack against the router that serves the network and to access its web administration interface.

The infection process starts with malware getting the BSSID of the network. The information is sent back to the C&C that is so informed that the Switcher Trojan has been activated in a network with this BSSID. The malicious code will get the name of the ISP (Internet Service Provider) in order to determine which rogue DNS server will be used for DNS-hijacking and launches a brute-force attack with a predefined dictionary of logins and passwords:

“The trojan gets the default gateway address and then tries to access it in the embedded browser. With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers.” continues the report from Kaspersky Lab.

Whan the malware access the web administration interface of the router, it replaces the primary and secondary DNS servers with IP addresses pointing to rogue DNS servers (i.e. 101.200.147.153, 112.33.13.11 and 120.76.249.59).

Once the malware changed the DNS settings, traffic is redirected to malicious websites instead of the ones. Users could be redirected to phishing websites or to domains hosting exploit kits used to serve malware.

According to Kaspersky, crooks already broke into 1,280 Wi-Fi networks redirecting traffic of all the users attached to them.

“The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection,” said Buchka. “A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Switcher Trojan, Android)