There’s a new type of threat on the Internet – it’s a Trojan that’s called Trojan.AndroidOS.Switcher and it’s designed to attack WiFi routers. Once the process is finished, all the people that use this network start getting redirected to malicious webpages. Trojan.AndroidOS.Switcher doesn’t make anyone an object of its attack – it’s a lot more interested in making your router a host so it could spread further. Your DNS servers get changed to ones that a Trojan needs – which are controlled by people behind it. From that point on, everything starts.
The threat was discovered by Kaspersky Lab and, as Nikita Buchka, who’s a mobile malware analyst in the company, reports, it has already affected 1280 wireless networks. It’s also said that Trojan.AndroidOS.Switcher has two different versions – both of those have been used in the attack on the networks. One of them disguises itself as a mobile application for Baidu – one of the most popular Chinese websites. The other one is presented as a tool that can help you locate and share WiFi login information. But the result stays the same either way – as soon as Trojan.AndroidOS.Switcher is downloaded, it infects the router and overtakes it.
This is achieved by a brute-force attack which is designed to guess the password. The trojan launches a brute-force attack with the following predefined list of standard logins and passwords:
Once the trojan succesfully gets access to the admin interface of the router, the queries of your router go to the attacker’s servers. This makes your Internet connection vulnerable to phishing, malware and redirects. Kaspersky Lab warns that cybercriminals receive total control over everything that relates to your connection – including the Internet traffic. This becomes possible due to routers giving their settings to all the devices that are a part of the network. In other words – each device starts using the DNS that’s controlled by con artists.
The developers of Trojan.AndroidOS.Switcher have certainly done everything to make their creation as malicious as possible. But they, for some reason, didn’t do anything to hide a table which contains all the information about the infection. Whether it was done on purpose or not is another question, but this is where the information about 1280 Chinese networks comes from. It also says that those results have been achieved in just a few weeks.
Nikita Buchka advises to check the DNS settings of your router. If you see 220.127.116.11, 18.104.22.168 and 22.214.171.124, then your router is infected. And even if it’s not, you’re strongly recommended to change your login and password.
In November, some users in Germany were attacked by Mirai which is a malware responsible for making Twitter and Spotify go offline in October. Their routers didn’t have any weaknesses with logins or passwords, but port 7547, which Internet service providers use for managing the device from a distance, was opened.
In some ways, Trojan.AndroidOS.Switcher is similar to DNSChanger which is used as an exploit kit nowadays. Proofpoint reported about the campaign that had a goal of changing DNS entries in wireless routers, which was done with the purpose of stealing traffic. Comtrend, Pirelli, Netgear and D-Link routers fell victims to that campaign at the time. And, as Nikita Buchka says, it’s very probable that Trojan.AndroidOS.Switcher may only work with the routers made by TP-Link – there’s evidence suggesting that the hard-coded names of input fields and the structures of the HTML documents that this threat tries to get access to can only work within specific interfaces – in this case, the ones that are provided by TP-Link and their technology.