Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

‘Switch’ leads to glitch: Android malware hijacks routers’ DNS settings

A newly discovered Android trojan can sabotage entire Wi-Fi networks and the users who connect to them by accessing the router that an infected device is communicating with and executing a Domain Name System (DNS) hijack attack.

According to Kaspersky Lab on Wednesday via its Securelist blog, the malware, named Switcher, uses a compromised Android device to pull up the local router's admin interface, and then attempts to gain top-level privileges by executing a brute-force attack that guesses commonly used or default log-in credentials. If successful, the malware opens the router's WAN settings and changes the IP address of the primary DNS server to that of a rogue one operated by the cybercriminals behind the campaign.

Consequently, future queries on this router's Wi-Fi network will be processed through the fake DNS server, which redirects traffic to malicious or fraudulent websites, likely for the purpose of serving up phishing scams, additional malware, and advertisements (the exact destinations are not publicly known at this time). Worse, in many cases, the attack will impact all devices that are connected to the Wi-Fi network, not just the device that was originally infected, the report warns.

The Kaspersky report noted that the brute-force attack is executed using JavaScript code specifically designed to work with the web interfaces of Wi-Fi routers manufactured by TP-Link. Asked why the attackers trained their sights on TP-Link, Kaspersky mobile security expert and blog post author Nikita Buchka cited the popularity of the company's router devices. However, “Cybercriminals are able to add code that will attack the devices of... other vendors, if they need to," Buchka added in an email interview with SC Media. "There are no limitations.”

SC Media has reached out to Shenzhen, China-based TP-Link for comment.

Based on the two versions of Switcher observed in the wild, the malware – discovered on December 20 – specifically targets Chinese users of Android devices. The first variation arrives in the guise of a mobile client for the Chinese search engine Baidu; the second is distributed via a phony version of a Chinese mobile app that is popular with business travelers and allows users to share information about Wi-Fi locations.

The fake app, which can be downloaded from a malicious third-party website set up by Switch's distributors, is a "good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi- networks, thus spreading the infection,” Buchka explains in his blog post.

In his post, Buchka noted that the malicious changes to an affected router's settings will persist even after a reboot. Moreover, the malware establishes a second, back-up DNS address using Google's public DNS service, in case its malicious servers go down at any point. This failsafe provides gives the cybercriminal infrastructure more stability and defends against user discovery because victims will not receive an alert if the primary server is disabled.

Kaspersky recommends that users check their DNS settings for the the following IP addresses associated with the Switcher malware campaign:

  • 101.200.147.153
  • 112.33.13.11
  • 120.76.249.59

Creating stronger router admin passwords will also defend against this difficult-to-detect threat, Buchka confirmed.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds