SWITCHER ANDROID TROJAN
A new Android Trojan, ‘Switcher,’ performs brute-force attacks on wireless routers’ default passwords to target DNS server configurations and hack connected devices. Researchers at Kaspersky Lab reported their encounter with a new type of Android malware, which they call “Trojan.AndroidOS.Switcher” and which is doing almost exactly that: Once it wakes up and determines it’s on a targeted wireless network, the malware runs a brute force attack on the local Wi-Fi router password.
If successful, the malware resets the default domain name system (DNS) servers to its own servers. From there, almost any kind of attack is possible on other devices or systems connected to that network. Switcher attacks are primarily found in China and currently infect devices through two vectors. The first is a fake version of Baidu, a popular Chinese search engine. The second is an app utilized for sharing Wi-Fi login data (which just sounds like a bad idea to begin with). By the end of last year, there were 1,280 reported infected networks. That number is likely to climb.
–A check of a router’s DNS settings is a quick and easy way to check infection. If it’s pointing to any one of the following IP addresses, then you have a problem, warn Kaspersky:
●Widespread – The Trojan is distributed via fake versions of popular apps but, cunningly, does not attack hapless Android users directly. Instead, it uses them as tools to compromise insecure Wi-Fi routers, which in turn can be used to re-direct traffic for fun and profit. Once infected via the fake apps, Switcher tries to brute-force access to the Wi-Fi network’s router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server.
●DNS -The domain name system (DNS)
maps domains into machine-readable IP addresses, allowing users to access websites through human-readable names rather than strings of numbers. This system is a fundamental building block of the web, and it also appears to be a system that can be leveraged to track Tor users.
Domain Name System (DNS) is a central part of the Internet, providing a way to match names (a website you’re seeking) to numbers (the address for the website). Anything connected to the Internet – laptops, tablets, mobile phones, websites – has an Internet Protocol (IP) address made up of numbers. Your favourite website might have an IP address like 22.214.171.124, but this is obviously not easy to remember. However a domain name such as bestdomainnameever.com is something people can recognize and remember. DNS syncs up domain names with IP addresses enabling humans to use memorable domain names while computers on the Internet can use IP addresses.According to the research team, it is possible to combine the monitoring of DNS requests with well-known fingerprinting techniques to create a new type of “DNS-enhanced website fingerprinting attack.”
The behaviour of Switcher is somewhat similar to that of DNSChanger, malware that’s been repurposed as an exploit kit as of late. A recent campaign observed by Proof point was targeting wireless routers and changing DNS entries in order to steal traffic. In that instance routers made by D-Link, Netgear, Pirelli and Contends were vulnerable. According to Buchka, the hardcoded names of input fields and the structures of the HTML documents that the Switcher Trojan tries to access suggests it may work only on web interfaces of TP-LINK Wi-Fi routers.