The malware known as Switch sends Android users down the wrong track, changing the settings on victims' routers so users are sent to malicious websites.
The malware known as Switch sends Android users down the wrong track, changing the settings on victims' routers so users are sent to malicious websites.

A newly discovered Android trojan can sabotage entire Wi-Fi networks and the users who connect to them by accessing the router that an infected device is communicating with and executing a Domain Name System (DNS) hijack attack.

According to Kaspersky Lab on Wednesday via its Securelist blog, the malware, named Switcher, uses a compromised Android device to pull up the local router's admin interface, and then attempts to gain top-level privileges by executing a brute-force attack that guesses commonly used or default log-in credentials. If successful, the malware opens the router's WAN settings and changes the IP address of the primary DNS server to that of a rogue one operated by the cybercriminals behind the campaign.

Consequently, future queries on this router's Wi-Fi network will be processed through the fake DNS server, which redirects traffic to malicious or fraudulent websites, likely for the purpose of serving up phishing scams, additional malware, and advertisements (the exact destinations are not publicly known at this time). Worse, in many cases, the attack will impact all devices that are connected to the Wi-Fi network, not just the device that was originally infected, the report warns.

The Kaspersky report noted that the brute-force attack is executed using JavaScript code specifically designed to work with the web interfaces of Wi-Fi routers manufactured by TP-Link. Asked why the attackers trained their sights on TP-Link, Kaspersky mobile security expert and blog post author Nikita Buchka cited the popularity of the company's router devices. However, “Cybercriminals are able to add code that will attack the devices of... other vendors, if they need to," Buchka added in an email interview with SC Media. "There are no limitations.”

SC Media has reached out to Shenzhen, China-based TP-Link for comment.

Based on the two versions of Switcher observed in the wild, the malware – discovered on December 20 – specifically targets Chinese users of Android devices. The first variation arrives in the guise of a mobile client for the Chinese search engine Baidu; the second is distributed via a phony version of a Chinese mobile app that is popular with business travelers and allows users to share information about Wi-Fi locations.

The fake app, which can be downloaded from a malicious third-party website set up by Switch's distributors, is a "good place to hide malware targeting routers, because users of such apps usually connect with many Wi-Fi- networks, thus spreading the infection,” Buchka explains in his blog post.

In his post, Buchka noted that the malicious changes to an affected router's settings will persist even after a reboot. Moreover, the malware establishes a second, back-up DNS address using Google's public DNS service, in case its malicious servers go down at any point. This failsafe provides gives the cybercriminal infrastructure more stability and defends against user discovery because victims will not receive an alert if the primary server is disabled.

Kaspersky recommends that users check their DNS settings for the the following IP addresses associated with the Switcher malware campaign:

  • 101.200.147.153
  • 112.33.13.11
  • 120.76.249.59

Creating stronger router admin passwords will also defend against this difficult-to-detect threat, Buchka confirmed.