New Android 'Switcher Trojan' infects Wi-Fi routers by changing DNS settings

The virus then redirects traffic from devices connected to the Wi-Fi network to websites controlled by attackers.

Published Date
29 - Dec - 2016
| Last Updated
29 - Dec - 2016
 
New Android ‘Switcher Trojan’ infects Wi-Fi routers by changing D...

A new Android OS virus has been discovered by cybersecurity firm, Kaspersky Lab, and the same is being termed as ‘Switcher Trojan’. The virus infects Android OS powered devices and uses them as tools to infect a user’s Wi-Fi router. It then changes the DNS settings of the router and starts redirecting traffic from the Wi-Fi connected devices to websites controlled and operated by attackers, making users vulnerable to malware, phishing and adware attacks.

What happens is that when an IP address is assigned to a web address, the Switcher Trojan hijacks the process and gives the attackers complete control over the network activity.  This works because Wi-Fi routers usually change the DNS settings of all the devices connected to them, and reconfigure them to their own settings.

According to Kaspersky, “The infection is spread by users downloading one of two versions of the Android Trojan from a website created by the attackers. The first version is disguised as an Android client of the Chinese search engine, Baidu, and the other is a well-made fake version of a popular Chinese app for sharing information about Wi-Fi networks.” The company adds that the rogue DNS planted by attackers also has a secondary DNS as a backup, just in case the ongoing rogue DNS goes down. “The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks. It does not attack users directly. Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection. A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on. Protecting devices is as important as ever, but in a connected world we cannot afford to overlook the vulnerability of routers and Wi-Fi networks,” said Nikita Buchka, mobile security expert, Kaspersky Lab.

The company warns that all users should check their DNS settings and search for the following rogue DNS servers:

  • 101.200.147.153

  • 112.33.13.11

  • 120.76.249.59

If any of these servers are found in DNS settings, then it is recommended that users contact their Internet Service Providers and change login IDs, passwords.

Adamya SharmaAdamya Sharma

Adamya Sharma sits among boys all day long listening to geek talk and wondering what the hell is she doing with her life.