Mon, 18 November , 2024 Home About Us Advertisement Contact Us
Breaking News

Switcher Trojan: Android joins the ‘attack-the- router’ club

kasperskyKaspersky Lab experts have uncovered a remarkable evolution in Android OS malware: the Switcher Trojan. It treats unsuspecting Android device users as tools to infect Wi-Fi routers, changing the routers’ DNS settings and redirecting traffic from devices connected to the network to websites controlled by the attackers, leaving users vulnerable to phishing, malware and adware attacks and more. The attackers claim to have successfully infiltrated 1,280 wireless networks so far, mainly in China.

Domain Name Servers (DNS) turn a readable web address such as ‘x.com’ into the numerical IP address required for communications between computers. The ability of the Switcher Trojan to hijack this process gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic. The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.

The infection is spread by users downloading one of two versions of the Android Trojan from a website created by the attackers. The first version is disguised as an Android client of the Chinese search engine, Baidu, and the other is a well-made fake version of a popular Chinese app for sharing information about Wi-Fi networks: WiFi万能钥匙.

When an infected device connects to a wireless network, the Trojan attacks the router and tries to brute-force its way to the web admin interface by guessing the password, relying on a long, predefined list of password and login combinations. If the attempt is successful, the Trojan exchanges the existing DNS server for a rogue one controlled by the cybercriminals, and also a secondary DNS, to ensure ongoing stability if the rogue DNS goes down. The attackers have built a website to promote and distribute the Trojanized Wi-Fi app to users. The web server that hosts this site doubles as the malware authors’ command-and-control server. Internal infection statistics spotted on an open part of this website reveal the attackers’ claims to have compromised 1,280 websites – potentially exposing all the devices connected to them to further attack and infection.

The company recommends that all users check their DNS settings and search for the following rogue DNS servers:

101.200.147.153
112.33.13.11
120.76.249.59
If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.

Comments

comments