Android Switcher Trojan Attempts to Hijack Router DNS Settings

Users of the mobile Android operating system have seen their fair share of cyber threats throughout 2016. The year 2017 is not off to a great start either, as security researchers uncovered a new Trojan that affects most WiFi routers. By doing so, the developers can redirect WiFi users to malicious websites and networks, allowing them to capture credentials and gain remote access to mobile devices.

Switcher Trojan Is A New Android Threat

Kaspersky Lab researchers discovered this new Android malware strain late in 2016. Immediately, it became apparent that the Trojan is not targeting users directly, but merely seeks to turn them into accomplices of future crimes. By hijacking WiFi routers, unsuspecting users can be funneled to nefarious websites hosting malware and other malicious content.

So far, two different types of the Trojan Switcher malware have been identified. Both types pose an equally significant threat, resulting in over 1,250 wireless networks being hijacked already. Interestingly enough, the majority of these systems are located in China, although that does not mean this Android malware cannot cause havoc in other parts of the world.

One type of this malware masks itself as a mobile app for the Baidu search engine. Another type shows up within an app that locates and shares WiFi login information. As soon as either version of the Switcher Trojan is installed on a mobile device, it will immediately start attacking the router. By using a brute-force password guessing attack on the admin web interface, it is only a matter of time until security is breached.

As soon as the malware bypasses the router’s security, it will then swap out DNS server addresses and replace them with a rogue server’s credentials. Any query made through a network-connected device will be re-routed to attackers’ servers, making Internet users vulnerable to phishing, malware, and other cyber attacks.

However, there is a silver lining in this story. Whoever developed the Android Switcher Trojan has been rather sloppy when it comes to setting up the command and control platform. Infection statistics are publicly visible, which is not a sign of professional coding by any means. It is possible the malware developers just want to show off their skills, though.

The Switcher Trojan shares some traits with DNSChanger, another type of malware that has seen a resurgence as of late. Targeting wireless routers and changing DNS servers is a criminal activity that usually goes by unnoticed. Stealing traffic allows assailants to carry out all kinds of mischief, without the device owner being aware of what is going on exactly.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.