Switcher Malware Targets Routers DNS via Smartphone

Engadget Job Board

Sr. Manager, Mobile Publishing at WB Games San Francisco

WB Games San Francisco - San Francisco, CA, United States

Associate Creative Director at Ramsey Solutions, A Dave Ramsey Company

Ramsey Solutions, A Dave Ramsey Company - Nashville, TN, United States

Digital Growth Manager at Wealthsimple

Wealthsimple - New York, NY, United States

A saying goes that there is a string that connects us that is not visible to the eye. But in today's modern world, wires that literally connect us for communication would be inconvenient and be confining.

So came the wireless technology that makes connection easier and more mobile. However because wireless connection became a common thing for most of us, we take for granted the technology behind it. We tend to forget that hackers will never run out of security threats such as malware and use our devices for these attacks.

Trojan from Android can now hijack routers through DNS

Kaspersky Lab has discovered an Android Trojan that hijacks entire Wi-Fi networks and dubbed it Switcher.

Switcher doesn't directly attack an Android device. The clever scheme makes the victim and accomplice because it uses their compromised device such as a smartphone or a tablet as a tool to attack any wireless networks they are connected with.

The cybercriminals behind the campaign made two versions of this malware. It is available through Android in the guise of Baidu (com.baidu.com), China's leading search engine, and another as a popular Chinese app for business travelers wherein it locates and shares WiFi login information (com.snda.wifilocating).

Once the user installs any of these apps, Switcher carries out a brute-force attack, or also known as Domain Name System (DNS) hijacking, on the router's default interface and guesses with a set of commonly used password or default login credentials. Once successful, it opens the router's WAN settings and swaps the IP address of the primary DNS server to reroute the traffic of the device connected to the network to the rogue one server controlled by the attackers along with a backup DNS using Google's public DNS service.

Consequent queries on the router's Wi-Fi network will be processed with the counterfeit DNS server that redirects traffic to a malicious or fraudulent site for more malware, adware, advertisements, and phishing scams. What's more alarming is that all devices that are connected will be attacked not just the original infected one and the effect will prevail even after a reboot.

In a blog post, Kaspersky's mobile security expert Nikita Buchka said that it's with the help of a JS code that the brute force attack was executed and will work only on TP-LINK Wi-Fi routers. He furthered that the popularity of the company's router devices made the attackers aim at TP-Link.

In addition, he said that the Switcher Trojan hijack approach works because of one flaw: it's the usual Wi-Fi router configuration. Its DNS settings of all devices connected to the network are the same as its own, forcing everyone to use the hijacked DNS.

However, the Switcher creators have left a loophole with its command and control website; it revealed a table with details of the internal infection statistics which is viewable in public. It boasts of compromising 1,280 WiFi networks wherein most cases are in China. "- potentially exposing all the devices connected to them to further attack and infection.", quoting Buchka.

Kaspersky advised that users must check their DNS settings and warns them of the following rogue servers: 101.200.147.153, 112.33.13.11, and 120.76.249.59.

A similar incident happened before with a number of router users in Germany with a nasty malware called Mirai. Though routers didn't have username and password danger, its port 7547 which is used to remotely manage devices was open.

To avoid all these mishaps and future security breach, Buchka recommended creating stronger router admin passwords. Take a look at this wireless router comparison guide if you're looking for new routers to install at your home.

Other safety precautions include downloading apps from official Google Play's store for Android users and turning off Unknown sources option in your device Security Setting. On the other hand, this great wireless router configuration guide in depth article can help you through your router's installation, but always remember to read more on how to fortify your connection to avoid DNS hijacking.

Recommended stories

More stories