• 14 September, 2024
• No Comments

Switcher Android Trojan

As mobile security continues to be a growing concern, new forms of malware, such as the Switcher Android Trojan, are emerging. This malware targets Wi-Fi routers by executing brute-force attacks on their default credentials, ultimately compromising DNS settings and affecting all devices connected to the compromised network.

Discovered by researchers at Kaspersky Lab, Switcher presents a new wave of cyber threats that don’t directly attack Android devices but instead use them as a tool to infiltrate wireless networks. Once the router is compromised, malicious actors can reroute all internet traffic through rogue DNS servers, allowing them to launch a variety of cyber-attacks, such as phishing, data interception, or malware distribution, against unsuspecting users connected to the infected network.

The Switcher Trojan operates in a sophisticated manner, targeting wireless routers and altering their DNS configurations. Below is a breakdown of how this malware operates:

Step 1: Initial Infection

Switcher usually spreads through fake applications that resemble legitimate services. For example:

• Fake Baidu app: A counterfeit version of the popular Chinese search engine.
• Wi-Fi sharing app: An app designed to share Wi-Fi login credentials, which already sounds risky.

Once the malware is installed on a user’s device, it doesn’t attack the Android system directly. Instead, it begins scanning the local network for vulnerable routers.

Step 2: Brute-Force Attack on Routers

The Trojan targets routers, initiating brute-force attacks on the router’s default login credentials. This method is particularly effective since many users don’t change the default passwords provided by manufacturers.

Step 3: Altering DNS Settings

Once Switcher successfully logs into the router:

• It reconfigures the DNS settings to point to malicious servers controlled by cybercriminals.
• The DNS (Domain Name System) is responsible for mapping domain names to their corresponding IP addresses. By controlling the DNS, attackers can redirect all traffic from legitimate websites to fraudulent ones.

Step 4: Exploiting the Network

After the DNS settings have been modified, all devices connected to the compromised router are vulnerable to:

• Phishing attacks: Users attempting to visit legitimate websites may be redirected to fake pages designed to steal personal information, such as login credentials or credit card details.
• Data interception: Cybercriminals can intercept and monitor the data sent or received over the network.

Malware distribution: Users connected to the compromised network could unknowingly download malware or ransomware from seemingly legitimate sites.

Impact of Switcher Trojan on Devices

Even though the Trojan specifically targets routers, the impact extends to every device connected to that network. Here are some key consequences:

• Data theft: Sensitive information transmitted over the network may be captured by the attackers.
• Redirected browsing: Users may be tricked into visiting phishing sites that look like legitimate services, leading to identity theft or financial loss.
• Device infections: The Trojan can infect connected devices with malware, expanding its reach beyond the initial target.

DNS Hijacking: How the Switcher Trojan Controls Traffic

The Domain Name System (DNS) is essential for translating user-friendly domain names into machine-readable IP addresses. By hijacking the DNS settings of a router, Switcher can redirect users to malicious websites without their knowledge. This is the crux of the attack and the reason why it is so dangerous.

What is DNS Hijacking?

DNS hijacking, also known as DNS redirection, occurs when an attacker changes the DNS settings of a router or device to point to rogue DNS servers. Once this happens, users trying to access legitimate websites are instead sent to malicious sites.

Consequences of DNS Hijacking

DNS hijacking allows attackers to:

• Redirect traffic to phishing sites.
• Control network traffic for spying on communications.
• Distribute malware disguised as legitimate downloads or updates.

In the case of Switcher, the Trojan alters the DNS settings of compromised routers, exposing all devices connected to that network to potential attacks.

Detecting and Preventing a Switcher Trojan Infection

Identifying whether your network has been compromised by Switcher is crucial for mitigating further damage. Here’s how you can detect and prevent this type of attack:

• Check Your Router’s DNS Settings: The simplest way to determine if your router has been compromised is by checking its DNS settings. According to Kaspersky Lab, if your router is pointing to any of the following IP addresses, it has likely been infected:
  • 101.200.147.153
  • 112.33.13.11
  • 120.76.249.59

• Change Router Default Credentials: One of the primary reasons Switcher can compromise routers is the widespread use of default credentials. To protect your router:
  • Change the default username and password.
  • Implement strong, unique passwords that cannot easily be guessed or brute-forced.

• Regularly Update Router Firmware: Many attacks exploit vulnerabilities in outdated firmware. Keep your router’s firmware updated to the latest version, as updates often include patches for known security vulnerabilities.

• Use Two-Factor Authentication (2FA): Whenever possible, enable two-factor authentication (2FA) for your router’s admin access. This adds an additional layer of security and makes it harder for attackers to gain control, even if they have the correct password.

How the Switcher Trojan Relates to Other Malware Attacks

The Switcher Android Trojan shares similarities with other DNS-targeting malware such as DNS Changer. DNS Changer is notorious for altering DNS settings on routers to redirect traffic, much like Switcher. The key difference is that Switcher primarily targets TP-LINK routers, whereas DNS Changer affected a wider range of devices, including D-Link, Net Gear, and Pirelli.

Contact Cyber Security Hive for Expert Mobile and Network Security Services

If you’re concerned about the security of your network or mobile devices, Cyber Security Hive offers comprehensive services to help protect your digital assets. Whether you need penetration testing, mobile security assessments, or network vulnerability analysis, our team of experts is here to assist.

Contact us today at contactus@cybersecurityhive.com or +91-9901024214 to schedule a consultation.