The Russian cybersecurity company Kaspersky has warned of an Android Trojan that uses compromised devices to attack WiFi routers.
Dubbed as “the Switcher Trojan”, it is distributed through counterfeit versions of popular apps, and rather than exploiting compromised devices directly, it seeks to take control of WiFi routers in order to re-direct traffic.
Once infected, Switcher forces access to the WiFi network’s router and then changes DNS settings in order to re-direct traffic from devices connected to the network to a rogue DNS server.
This server tricks devices into communicating with websites controlled by the attackers, leaving users vulnerable to phishing, malware, adware and other attacks. Kaspersky warns that a successful attack can not only be hard to detect, but it can be even harder to eradicate.
The Trojan is not yet widespread; figures taken from the malware creators’ own command-and-control server indicate that approximately 1,280 wireless networks, mainly in China, have been compromised so far.
Switcher is currently distributed as a phony app for Baidu, a popular Chinese search engine, or an app popular in China for enabling users to share information about WiFi networks. The server that hosts a website built by the malware authors to promote and distribute one of the apps also doubles as the malware authors’ command-and-control (C&C) server.
Kaspersky got the figures for the number of infections directly from a part of this website that was accidentally left open.
“The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks,” Nikita Buchka, mobile security expert from Kaspersky, warns. “It does not attack users directly. Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection.
“A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, a secondary DNS server is on hand to carry on.”
An easy way to check for infection is to check your router’s DNS settings. If it points to any one of the following IP addresses, then you have a problem, warn Kaspersky:
- 101.200.147.153;
- 112.33.13.11;
- 120.76.249.59.