Tuesday, November 12, 2024
HomeMalwareSwitcher - Android Malware Seize Routers's DNS Settings

Switcher – Android Malware Seize Routers’s DNS Settings

Published on

Malware protection

Switcher – Android Malware Seize Routers’s DNS Settings: A new Android Trojan was identified by malware researchers at Kaspersky Lab’s.

This trojan is bit special instead of attacking the user, it attacks the wireless router that user is connected to and execute a DNS Robbery attack.

Malware AndroidOS Switcher, carry out a brute force attack on the router’s admin panel if the attacks succeeded then the malware can change the IP address of the DNS servers in the router.

- Advertisement - SIEM as a Service

By Changing the DNS servers attackers can re-route the traffic to servers operated by cyber criminals. This process of overthrow is referred as DNS-hijacking.

How Switcher Performs Its Brute-force Attacks

As per Kaspersky lab’s to date, they have identified two versions of trojans.

acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com
64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi

The first version (com.baidu.com), impersonate itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application.

The second version is a well-made imitation of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app.

Cyber criminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating. The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server.

Switcher - Android Malware Seize Routers's DNS SettingsInfection Process Secrets Revealed

  • Trojan gets the Wireless access point of the network and informs the command and control server that the trojan is being activated in a network with this Wireless access point.
  • Then it tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS server will be used for DNS-hijacking.
  • There are three possible DNS servers – 101.200.147.153, 112.33.13.11 and 120.76.249.59; with 101.200.147.153 being the default choice, while the others will be chosen only for specific ISPs.
  • Launches a brute-force attack with the following predefined dictionary of logins and passwords:

admin:00000000, admin:admin, admin:123456, admin:12345678, admin:123456789, admin:1234567890, admin:66668888, admin:1111111, admin:88888888, admin:666666, admin:87654321, admin:147258369, admin:987654321, admin:66666666, admin:112233, admin:888888, admin:000000, admin:5201314, admin:789456123, admin:123123, admin:789456123, admin:0123456789, admin:123456789, admin:11223344, admin:123123123.

  • If this brute force attempt with admin interface is successful, the trojan navigates to the WAN settings and exchanges the primary DNS server for a rogue DNS controlled by the cyber criminals, and a secondary DNS with 8.8.8.8 (the Google DNS, to ensure ongoing stability if the rogue DNS goes down).
Switcher - Android Malware Seize Routers's DNS Settings
Switcher - Android Malware Seize Routers's DNS Settings
  • If the accomplishment successful with DNS addresses, the trojan report its success to the command-and-control (C&C) server.

One Word: Why It Is Bad

The domain name system (DNS) maps internet domain names to the internet protocol(IP).

Cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server.

Switcher - Android Malware Seize Routers's DNS Settings

You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network to use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router.

The cyber criminals were not cautious enough and left their internal infection statistics in the open part of the C&C website.

Switcher - Android Malware Seize Routers's DNS SettingsConclusion

The Trojan.AndroidOS.Switcher does not attack users directly. Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection.

The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked.

Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to 8.8.8.8 will be used, so users and/or IT will not be alerted.

We recommend that all users check their DNS settings and search for the following rogue DNS servers:

  • 101.200.147.153
  • 112.33.13.11
  • 120.76.249.59

If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...