A newly discovered Android trojan can sabotage entire wi-fi networks and the users connected to them by accessing their router and executing a Domain Name System (DNS) hijack attack.
According to Kaspersky Lab's Securelist blog, the malware, named Switcher, uses a compromised Android device to pull up the local router's admin interface, and then attempts to gain top-level privileges by executing a brute-force attack that guesses commonly used or default log-in credentials.
If successful, the malware opens the router's WAN settings and changes the IP address of the primary DNS server to that of a rogue ID operated by assailants.
Consequently, future queries on this router's wi-fi network will be processed through the fake DNS server, which redirects traffic to malicious or fraudulent websites, for the purpose of serving up phishing scams, additional malware, and advertisements (the exact destinations are not publicly known at this time).
In many cases, the attack will impact all devices that are connected to the wi-fi network, not just the device that was originally infected, the report warns.
Asked why the attackers trained their sights on TP-Link, Kaspersky mobile security expert and blog post author Nikita Buchka pointed to the popularity of the company's router devices.
He added, "cybercriminals are able to add code that will attack the devices of ... other vendors, if they need to".
"There are no limitations.”
SC Media has reached out to Shenzhen, China-based TP-Link for comment.
Based on the two versions of Switcher observed in the wild, the malware – discovered on December 20 – specifically targets Chinese users of Android devices. The first variation arrives in the guise of a mobile client for the Chinese search engine Baidu; the second is distributed via a phony version of a Chinese mobile app that is popular with business travelers and allows users to share information about wi-fi locations.
The fake app, which can be downloaded from a malicious third-party website set up by Switch's distributors, is a "good place to hide malware targeting routers, because users of such apps usually connect with many wi-fi- networks, thus spreading the infection,” Buchka explains in his blog post.
He also noted that the malicious changes to an affected router's settings will persist even after a reboot. The malware establishes a second, back-up DNS address using Google's public DNS service, in case its malicious servers go down at any point. This failsafe gives the cybercriminal infrastructure more stability and defends against user discovery because victims will not receive an alert if the primary server is disabled.
Kaspersky recommends that users check their DNS settings for the the following IP addresses associated with the Switcher malware campaign:
Creating stronger router admin passwords will also defend against this difficult-to-detect threat, Buchka confirmed.