Switcher Trojan Infects Wi-Fi Routers via Android Mobiles

An incredibly dangerous new Trojan has been detected by Kaspersky Lab which is being used to attack Wi-Fi routers via Android devices. The new malware – named the Switcher Trojan – is currently only being used to attack routers in China, although Kaspersky Lab researchers warn that this new malware signals a dangerous new trend – One that could well become a global problem.

The typical way that hackers gain control of Wi-Fi routers is by performing direct attacks; however, this method of attack is far more efficient. The attackers are infecting Android users and they are used as pawns in Wi-Fi router attacks.

Once a user’s device is compromised, any Wi-Fi router that they attempt to connect to will be subjected to a brute force attack. If the attack succeeds the attackers will gain administrator access to the router allowing them to take full control of the device and attack any individual that subsequently connects to the Wi-Fi network.

The attack starts with one of two fake versions of legitimate Chinese apps. One is used for sharing Wi-Fi network information and the other is an Android client for the Chinese search engine Baidu.

Once either app has been downloaded, the next Wi-Fi network to which the infected device connects will be attacked using a predefined set of login credentials. A correct username and password combination will see the attackers gain administrator access to the router.

The primary DNS server is then changed to one controlled by the attacker. The secondary DNS server is also changed, and serves as a backup should the first DNS server fail. Once this is done, any individual who connects to the router can be directed to websites controlled by the attackers. Those sites could be laced with malware, phish for sensitive information, serve adware, or be used for other web-borne threats. Since the attack involves the entire Wi-Fi network, the attackers could infect countless numbers of users.

Any individual that connects to the network could easily be directed to a spoofed Twitter, Facebook, LinkedIn or Snapchat login page. Entering in login details would provide the attackers with countless login credentials. Any number of malware could be downloaded to devices that connect to a hijacked router. Since popular Wi-Fi networks are likely to be targeted, the number of individuals that the attackers could infect could be enormous.

According to Kaspersky Lab researcher Nikita Buckha, the changes the attackers make to the DNS settings are difficult to detect. Unless the Wi-Fi operator checks their DNS settings regularly, they are unlikely to realize that their Wi-Fi router has been hijacked. Buckha also says the change is persistent and will survive a reboot.

Buckha says the criminals behind the campaign have set up a website that promotes the two apps, and that the same website serves as the attackers’ command and control center. Security on the site was poor, allowing Kaspersky Lab to view a table showing how many routers had already been infected. At the time of Buckha’s blog post announcing the discovery of the Switcher Trojan, 1,280 Wi-Fi routers had been compromised, all of which were located in China.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news