Wi-Fi hijacker Trojan masquerades as Android apps

Switcher Trojan can hack your router's DNS requests

Hackers

A Trojan posing as a number of Android apps has been discovered in the wild, capable of hacking Wi-Fi routers and hijacking DNS requests, according to security firm Kaspersky.

Disguised as legitimate Android apps, the Switcher Trojan is able to trick users into submitting personal details by displaying fake webpages masquerading as regular sites.

This new technique involves intercepting daily internet navigation requests by targeting vulnerable Wi-Fi routers, instead of hacking a device directly.

Once a malicious app is downloaded to a device, the Trojan can redirect users to malicious websites by intervening in the process of typing a website's domain name, and the domain name server returning the actual address.

Kaspersky explains: "When you enter google.com, the respective DNS server returns the IP address 87.245.200.153 that is where you are effectively being directed. The thing is, malefactors can create their own DNS server that returns another IP address (say, 6.6.6.6) in response to your "google.com" request, and that address might host a malicious website. This method is called DNS hijacking."

Here's how a normal DNS request would work:

And this is what a DNS request looks like after a Switcher hijack:

So how does it get onto your device in the first place? Switcher's developers created a couple of Android apps, one of which imitates Chinese web search app Baidu, while another pretends to be a public Wi-Fi password search app; both are popular in China.

Anybody downloading these apps installs the Switcher Trojan, which then confirms its installation to a command and control server, before brute forcing the victim's Wi-Fi router.

Gaining access to a router allows the Trojan to change the default DNS settings to a malicious address, meaning users searching for Google will instead be directed to a rogue site.

As a final flourish, a legitimate secondary default DNS address is set so that if the rogue server goes down, users will have no idea that any settings were changed.

Kaspersky security experts were able to access Switcher Trojan statistics, which were accidently left open on a public section of the server website. If correct, the Trojan has infected 1,280 networks in less than four months, granting snoopers access to all user traffic and any details entered into malicious websites.

The security firm recommends that, as always, changing the default settings of routers is the most reliable way of preventing these kinds of attacks. Default credentials supplied with every network router are often left unchanged by the user, something that has been exploited by hackers creating IoT botnets for massive DDoS attacks in 2016.

Kaspersky has also warned users to stay clear of suspicious apps on mobile devices and install reputable antivirus software for added protection.

Pictures courtesy of Kaspersky Lab

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
What is a Trojan?
Security

What is a Trojan?

27 Aug 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021