Wi-Fi hijacker Trojan masquerades as Android apps

Switcher Trojan can hack your router's DNS requests

Hackers

A Trojan posing as a number of Android apps has been discovered in the wild, capable of hacking Wi-Fi routers and hijacking DNS requests, according to security firm Kaspersky.

Disguised as legitimate Android apps, the Switcher Trojan is able to trick users into submitting personal details by displaying fake webpages masquerading as regular sites.

This new technique involves intercepting daily internet navigation requests by targeting vulnerable Wi-Fi routers, instead of hacking a device directly.

Once a malicious app is downloaded to a device, the Trojan can redirect users to malicious websites by intervening in the process of typing a website's domain name, and the domain name server returning the actual address.

Advertisement
Advertisement - Article continues below

Kaspersky explains: "When you enter google.com, the respective DNS server returns the IP address 87.245.200.153 that is where you are effectively being directed. The thing is, malefactors can create their own DNS server that returns another IP address (say, 6.6.6.6) in response to your "google.com" request, and that address might host a malicious website. This method is called DNS hijacking."

Here's how a normal DNS request would work:

And this is what a DNS request looks like after a Switcher hijack:

So how does it get onto your device in the first place? Switcher's developers created a couple of Android apps, one of which imitates Chinese web search app Baidu, while another pretends to be a public Wi-Fi password search app; both are popular in China.

Anybody downloading these apps installs the Switcher Trojan, which then confirms its installation to a command and control server, before brute forcing the victim's Wi-Fi router.

Gaining access to a router allows the Trojan to change the default DNS settings to a malicious address, meaning users searching for Google will instead be directed to a rogue site.

As a final flourish, a legitimate secondary default DNS address is set so that if the rogue server goes down, users will have no idea that any settings were changed.

Kaspersky security experts were able to access Switcher Trojan statistics, which were accidently left open on a public section of the server website. If correct, the Trojan has infected 1,280 networks in less than four months, granting snoopers access to all user traffic and any details entered into malicious websites.

The security firm recommends that, as always, changing the default settings of routers is the most reliable way of preventing these kinds of attacks. Default credentials supplied with every network router are often left unchanged by the user, something that has been exploited by hackers creating IoT botnets for massive DDoS attacks in 2016.

Kaspersky has also warned users to stay clear of suspicious apps on mobile devices and install reputable antivirus software for added protection.

Advertisement
Advertisement - Article continues below

Pictures courtesy of Kaspersky Lab

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/30081/what-is-a-trojan-virus
Security

What is a Trojan?

14 Aug 2019
Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

8 Mar 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019