TP-Link router

An Android trojan named Switcher (Trojan.AndroidOS.Switcher) targets Android devices in order to take over local WiFi routers and hijack the web traffic passing through them.

Discovered by security researchers from Kaspersky Lab, this trojan is currently distributed among Chinese users as a clone of the official Baidu Android app (com.baidu.com), and as an application for sharing details and passwords about public and private WiFi networks (com.snda.wifilocating).

Switcher brute-forces local WiFi routers

The way this trojan works is by collecting information on the user's WiFi network after infecting a phone or tablet.

Switcher sends this information to a public C&C server, which determines the user's ISP and decides on what DNS records to use at a later stage.

Once the trojan gets the go-ahead from its C&C server, Switcher attempts to login on the user's home WiFi router by trying a set of default admin credentials. The full list is available below:

admin:00000000
admin:admin
admin:123456
admin:12345678
admin:123456789
admin:1234567890
admin:66668888
admin:1111111
admin:88888888
admin:666666
admin:87654321
admin:147258369
admin:987654321
admin:66666666
admin:112233
admin:888888
admin:000000
admin:5201314
admin:789456123
admin:123123
admin:789456123
admin:0123456789
admin:123456789a
admin:11223344
admin:123123123

Different router models utilize these username-password combos for their admin accounts, but researchers say that based on the authentication method employed, the attack will only be successful against WiFi routers manufactured by TP-Link.

Switcher hijacks the routers' DNS records

Once the trojan has authenticated on a local router, it goes on to modify the router's DNS settings with the IP address received from the C&C server. According to Kaspersky, until now, Switcher has used three different IP addresses as the primary DNS record.

101.200.147.153
112.33.13.11
120.76.249.59

The router's role is to broadcast these DNS settings to all the computers that want to connect. Users should check their DNS settings and see if their computer or phone uses one of these three IPs.

Additionally, Switcher also sets the secondary DNS server to 8.8.8.8 (Google public DNS server), in case the malicious DNS server goes down. This keeps the user's Internet connection running until crooks migrate victims to a new DNS server.

Hijacking DNS settings simplifies phishing operations

Hijacking DNS servers is an ancient malware technique, used by multiple families in the past. The reason behind hijacking DNS servers is to re-route users to clones of legitimate websites, hosted on the crooks' own servers.

This way, the attacker can collect login credentials for banking portals, social media profiles, online stores, and others.

More recently, exploit kits such as Stegano have also started targeting home routers, in order to hijack web traffic and insert unwanted ads.

Number of Swticher infections
Public folder on the Switcher C&C server [Source: Kaspersky Lab]

Kaspersky Lab malware analyst Nikita Buchka said the Switcher group forgot to protect their C&C server from public access, which allowed analysts to take a loot at their operation from within.

He says he was able to access the C&C server folders, where he found evidence that the Switcher malware had infected 1,280 routers and hijacked traffic within those networks.