Switcher Android Trojan Hacks TP-Link Routers

Malware, Threat
Switcher Android Trojan
Switcher Android Trojan

Security Researchers have identified a new Android trojan named Switcher that penetrates into Wireless router from an android device and snoops into the passing internet traffic.

The trojan, Instead of attacking a user, attacks the wireless router the user is connected to and performs DNS hijacking. The trojan got discovered by security researchers from Kaspersky Lab.

The trojan named Switcher does a “brute-force password guessing attack” on the Wi-Fi router’s admin web interface in order to gain unauthorized access to TP-Link routers.

Once the Switcher gets access to the Wi-Fi’s admin access, it changes the addresses of the DNS servers in the router’s settings. This makes router to forward all the DNS queries from devices in the compromised Wi-Fi network to the fake DNS servers of the cyber criminals.

Distributed through fake android apps

In its first appearance, the trojan is distributed among Chinese users using a couple of fake android applications.

The crooks have used an Android app disguised itself as a mobile client for the Chinese search engine Baidu.  If a user opens the app, it simply redirects to the original http://m.baidu.com. There is nothing bad at redirect process and making searches through fake Baidu App, major hit is the code that fake app contains. At the backend, it is desperate to hack Wi-Fi router user connects with.

Another android app hijackers have used is a well-made fake version of a popular Chinese app (com.snda.wifilocating) for sharing details and passwords of public and private Wi-Fi networks. Such information is used mainly by business travelers to connect to a public Wi-Fi network.

The hijackers have created a website to distribute the fake version of com.snda.wifilocating. Same web server is also being used as command-and-control (C&C) server.

Built-in set of credentials to access Wi-Fi routers

Once the infected android device connects to Wi-Fi router, the trojan activates and start sending basic information about the network like ISP name and SSID to its command and control server. The C&C server then decides which DNS IP to be used out of 3 IP’s it has.

It uses any of the IP’s out of, and to set on comprised Wi-Fi router on later stage as DNS.

The Switcher trojan has a built-in set of credentials to try out on the Wi-Fi router the user is connected with. When it succeed in getting access, the trojan then changes the DNS IP of the router to its own fake DNS IP.

The DNS is used for resolving a human-readable name of the websites into an IP address that is used for communications in the computer network.

Changing DNS means the attackers gain almost full control over the network traffic. The attacker in its own DNS server may provide wrong IP address against a legitimate website. Hence, the attacker will able to redirect users to fake banking websites which may record banking credentials or websites with pop-ups and ads.

A valid recommendation

The cyber security company has recommended all users to check their DNS settings and ensure any of the above IP’s doesn’t exist. The security researchers also suggest users owning Wi-Fi router to change their admin credentials.