An Android trojan named Switcher (Trojan.AndroidOS.Switcher) targets Android devices in order to take over local WiFi routers and hijack the web traffic passing through them.
Discovered by security researchers from Kaspersky Lab, this trojan is currently distributed among Chinese users as a clone of the official Baidu Android app (com.baidu.com), and as an application for sharing details and passwords about public and private WiFi networks (com.snda.wifilocating).
The way this trojan works is by collecting information on the user's WiFi network after infecting a phone or tablet.
Switcher sends this information to a public C&C server, which determines the user's ISP and decides on what DNS records to use at a later stage.
Once the trojan gets the go-ahead from its C&C server, Switcher attempts to login on the user's home WiFi router by trying a set of default admin credentials. The full list is available below:
Different router models utilize these username-password combos for their admin accounts, but researchers say that based on the authentication method employed, the attack will only be successful against WiFi routers manufactured by TP-Link.
Once the trojan has authenticated on a local router, it goes on to modify the router's DNS settings with the IP address received from the C&C server. According to Kaspersky, until now, Switcher has used three different IP addresses as the primary DNS record.
220.127.116.11 18.104.22.168 22.214.171.124
The router's role is to broadcast these DNS settings to all the computers that want to connect. Users should check their DNS settings and see if their computer or phone uses one of these three IPs.
Additionally, Switcher also sets the secondary DNS server to 126.96.36.199 (Google public DNS server), in case the malicious DNS server goes down. This keeps the user's Internet connection running until crooks migrate victims to a new DNS server.
Hijacking DNS servers is an ancient malware technique, used by multiple families in the past. The reason behind hijacking DNS servers is to re-route users to clones of legitimate websites, hosted on the crooks' own servers.
This way, the attacker can collect login credentials for banking portals, social media profiles, online stores, and others.
More recently, exploit kits such as Stegano have also started targeting home routers, in order to hijack web traffic and insert unwanted ads.
Kaspersky Lab malware analyst Nikita Buchka said the Switcher group forgot to protect their C&C server from public access, which allowed analysts to take a loot at their operation from within.
He says he was able to access the C&C server folders, where he found evidence that the Switcher malware had infected 1,280 routers and hijacked traffic within those networks.