Finding a new Android malware is no longer a surprise, and often doesn't even make it to the headlines. However, researchers at Kaspersky Lab have come across a new Android trojan which they are calling "quite unique."
This latest Android trojan dubbed as "Switcher" doesn't attack a user but attacks the WiFi router the user is connected to. Switcher hacks wireless routers and changes their DNS settings to redirect traffic to malicious websites. Clever, right? Here's how it works.
Android trojan uses DNS hijacking to infect routers
The malware has been disguised as an Android client for the Chinese search engine Baidu and a Chinese app that is used for locating and sharing WiFi login information. Once users install any of these apps, the malware attempts to launch brute-force attacks to guess the password.
Known as DNS-hijacking, Switcher performs this brute-force password guessing attack on the router’s admin web interface. If it succeeds, the malware then changes the addresses of the DNS servers in the router’s settings, rerouting all DNS queries from the connected devices to the servers of the attackers.
This brute-force attack is launched with a predefined dictionary of username and password combinations, including admin:admin, admin:123456, admin:1111111, admin:00000000, etc. If the interface is accessed, the Android trojan then replaces the device's primary and secondary DNS servers with IP addresses that point to rogue servers.
The DNS (Domain Name System) is used for resolving human-readable names (e.g. google.com) into an IP address. When attacked, the web router will communicate "with a completely different network resource. This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware." Following images show the differences in how these queries are processed.
"Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS," Buchka warned. "The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection."