Android users are always at the target of malicious threats. Recently there have been Super Mario malware game. Now there is a new Trojan discovered by Kaspersky Lab researchers known as Switcher Trojan. It is called Switcher Trojan because of its ability to firstly infect the device’s Wi-Fi routers and then switch users of that infected network to various infected sites.
The Trojan doesn’t directly targets the users but it acts as a facilitator of attacks that eventually convert victims into its co-conspirator by switching them to infected sites.
Analysis of Kaspersky Lab researchers’ revealed that there are two versions of this malware that are currently affecting android devices. Both the versions are being utilized to hijack nearly 1,280 wireless networks.
Kaspersky’s mobile security expert Nikita Buchka states that, “Most of these infected networks are located in China. One of the two versions pretends to be a mobile client for Baidu, a popular Chinese search engine, while the other appears as a version of an app that locates and shares WiFi login information.”
Whenever any user downloads any of the two versions, the malware immediately performs the task of infecting the router through brute-forcing, which is the password guessing attack.
Research also suggested that the malware has a list of over 2 dozen username and password combinations which let it access the web admin interface of the router.
When this is done, the Switcher Trojan swaps out the DNS servers’ addresses of the router for a fake server that is being controlled by the attacker(s). The IP addresses used by the malware are 184.108.40.206, 220.127.116.11 and 18.104.22.168. There is an extra DNS too that comes in handy for the attackers when the fake one doesn’t perform or is detected.
After that, all the requests from the infected devices are re-routed to the attackers’ servers. This action makes the victims vulnerable to all sorts of attacks including phishing, malware, redirection and adware.
Kaspersky Lab Researchers noted that:
The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name resolving system, such as internet traffic. The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.