A new Android OS virus has been discovered by cybersecurity firm, Kaspersky Lab, and the same is being termed as ‘Switcher Trojan’. The virus infects Android OS powered devices and uses them as tools to infect a user’s Wi-Fi router. It then changes the DNS settings of the router and starts redirecting traffic from the Wi-Fi connected devices to websites controlled and operated by attackers, making users vulnerable to malware, phishing and adware attacks.
What happens is that when an IP address is assigned to a web address, the Switcher Trojan hijacks the process and gives the attackers complete control over the network activity. This works because Wi-Fi routers usually change the DNS settings of all the devices connected to them, and reconfigure them to their own settings.
According to Kaspersky, “The infection is spread by users downloading one of two versions of the Android Trojan from a website created by the attackers. The first version is disguised as an Android client of the Chinese search engine, Baidu, and the other is a well-made fake version of a popular Chinese app for sharing information about Wi-Fi networks.” The company adds that the rogue DNS planted by attackers also has a secondary DNS as a backup, just in case the ongoing rogue DNS goes down. “The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks. It does not attack users directly. Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection. A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on. Protecting devices is as important as ever, but in a connected world we cannot afford to overlook the vulnerability of routers and Wi-Fi networks,” said Nikita Buchka, mobile security expert, Kaspersky Lab.
The company warns that all users should check their DNS settings and search for the following rogue DNS servers:
If any of these servers are found in DNS settings, then it is recommended that users contact their Internet Service Providers and change login IDs, passwords.