Wi-Fi hijacker Trojan masquerades as Android apps

Switcher Trojan can hack your router's DNS requests

Hackers

A Trojan posing as a number of Android apps has been discovered in the wild, capable of hacking Wi-Fi routers and hijacking DNS requests, according to security firm Kaspersky.

Disguised as legitimate Android apps, the Switcher Trojan is able to trick users into submitting personal details by displaying fake webpages masquerading as regular sites.

This new technique involves intercepting daily internet navigation requests by targeting vulnerable Wi-Fi routers, instead of hacking a device directly.

Once a malicious app is downloaded to a device, the Trojan can redirect users to malicious websites by intervening in the process of typing a website's domain name, and the domain name server returning the actual address.

Kaspersky explains: "When you enter google.com, the respective DNS server returns the IP address 87.245.200.153 that is where you are effectively being directed. The thing is, malefactors can create their own DNS server that returns another IP address (say, 6.6.6.6) in response to your "google.com" request, and that address might host a malicious website. This method is called DNS hijacking."

Here's how a normal DNS request would work:

And this is what a DNS request looks like after a Switcher hijack:

So how does it get onto your device in the first place? Switcher's developers created a couple of Android apps, one of which imitates Chinese web search app Baidu, while another pretends to be a public Wi-Fi password search app; both are popular in China.

Anybody downloading these apps installs the Switcher Trojan, which then confirms its installation to a command and control server, before brute forcing the victim's Wi-Fi router.

Gaining access to a router allows the Trojan to change the default DNS settings to a malicious address, meaning users searching for Google will instead be directed to a rogue site.

As a final flourish, a legitimate secondary default DNS address is set so that if the rogue server goes down, users will have no idea that any settings were changed.

Kaspersky security experts were able to access Switcher Trojan statistics, which were accidently left open on a public section of the server website. If correct, the Trojan has infected 1,280 networks in less than four months, granting snoopers access to all user traffic and any details entered into malicious websites.

The security firm recommends that, as always, changing the default settings of routers is the most reliable way of preventing these kinds of attacks. Default credentials supplied with every network router are often left unchanged by the user, something that has been exploited by hackers creating IoT botnets for massive DDoS attacks in 2016.

Kaspersky has also warned users to stay clear of suspicious apps on mobile devices and install reputable antivirus software for added protection.

Pictures courtesy of Kaspersky Lab

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

What is a Trojan?
Security

What is a Trojan?

15 Jun 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
'NetWalker' ransomware explodes thanks to 'as a service' expansion
ransomware

'NetWalker' ransomware explodes thanks to 'as a service' expansion

4 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020