Android Malware Now Infects Wireless Routers to Hijack Network Traffic

Rafia Shaikh
download Android security Trojan

Finding a new Android malware is no longer a surprise, and often doesn't even make it to the headlines. However, researchers at Kaspersky Lab have come across a new Android trojan which they are calling "quite unique."

This latest Android trojan dubbed as "Switcher" doesn't attack a user but attacks the WiFi router the user is connected to. Switcher hacks wireless routers and changes their DNS settings to redirect traffic to malicious websites. Clever, right? Here's how it works.

Android trojan uses DNS hijacking to infect routers

The malware has been disguised as an Android client for the Chinese search engine Baidu and a Chinese app that is used for locating and sharing WiFi login information. Once users install any of these apps, the malware attempts to launch brute-force attacks to guess the password.

Known as DNS-hijacking, Switcher performs this brute-force password guessing attack on the router’s admin web interface. If it succeeds, the malware then changes the addresses of the DNS servers in the router’s settings, rerouting all DNS queries from the connected devices to the servers of the attackers.

"With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers," Nikita Buchka of Kaspersky Lab said in a blog post.

This brute-force attack is launched with a predefined dictionary of username and password combinations, including admin:admin, admin:123456, admin:1111111, admin:00000000, etc. If the interface is accessed, the Android trojan then replaces the device's primary and secondary DNS servers with IP addresses that point to rogue servers.

The DNS (Domain Name System) is used for resolving human-readable names (e.g. into an IP address. When attacked, the web router will communicate "with a completely different network resource. This could be a fake, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware." Following images show the differences in how these queries are processed.


"Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS," Buchka warned. "The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection."

- Earlier, Massive DDoS Attacks Cause Internet Disruption for Several Popular Sites

Share this story

Deal of the Day