跳到主体内容

Switcher Trojan: Android joins the ‘attack-the-router’ club

2016年12月28日

Newly-discovered Trojan uses unsuspecting Android device users as tools to redirect traffic from WiFi-connected devices to websites controlled by the attackers

Kaspersky Lab experts have uncovered a remarkable evolution in Android OS malware: the Switcher Trojan. It treats unsuspecting Android device users as tools to infect Wi-Fi routers, changing the routers’ DNS settings and redirecting traffic from devices connected to the network to websites controlled by the attackers, leaving users vulnerable to phishing, malware and adware attacks and more. The attackers claim to have successfully infiltrated 1,280 wireless networks so far, mainly in China.

Domain Name Servers (DNS) turn a readable web address such as ‘x.com’ into the numerical IP address required for communications between computers. The ability of the Switcher Trojan to hijack this process gives the attackers almost complete control over network activity which uses the name-resolving system, such as internet traffic. The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.

The infection is spread by users downloading one of two versions of the Android Trojan from a website created by the attackers. The first version is disguised as an Android client of the Chinese search engine, Baidu, and the other is a well-made fake version of a popular Chinese app for sharing information about Wi-Fi networks:  WiFi万能钥匙.

When an infected device connects to a wireless network, the Trojan attacks the router and tries to brute-force its way to the web admin interface by guessing the password, relying on a long, predefined list of password and login combinations. If the attempt is successful, the Trojan exchanges the existing DNS server for a rogue one controlled by the cybercriminals, and also a secondary DNS, to ensure ongoing stability if the rogue DNS goes down. 

To illustrate, what normally happens is this:

Switcher-Trojan-1

Following a successful Switcher attack, this is what happens:

Switcher-Trojan-2

The attackers have built a website to promote and distribute the Trojanized Wi-Fi app to users. The web server that hosts this site doubles as the malware authors’ command-and-control (C&C) server. Internal infection statistics spotted on an open part of this website reveal the attackers’ claims to have compromised 1,280 websites – potentially exposing all the devices connected to them to further attack and infection.

“The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks. It does not attack users directly. Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection. A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on. Protecting devices is as important as ever, but in a connected world we cannot afford to overlook the vulnerability of routers and Wi-Fi networks,” said Nikita Buchka, mobile security expert, Kaspersky Lab.

The company recommends that all users check their DNS settings and search for the following rogue DNS servers:

  • 101.200.147.153
  • 112.33.13.11
  • 120.76.249.59

If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network. Kaspersky Lab also strongly advises users to change the default login and password to the admin web interface of your router to prevent such attacks in the future.

To learn more about the Switcher Trojan, read the blogpost on Securelist.

Switcher Trojan: Android joins the ‘attack-the-router’ club

Newly-discovered Trojan uses unsuspecting Android device users as tools to redirect traffic from WiFi-connected devices to websites controlled by the attackers
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻