This Android-infecting Trojan malware uses your phone to attack your router

Switcher Trojan reroutes your DNS to hand attackers information about every activity which takes place on the infected router.
Written by Danny Palmer, Senior Writer

The Switcher Trojan can use your Android phone to access all of your network traffic.

Image: iStock

A new form of Android Trojan malware is capable of attacking the routers controlling the wireless networks of its victims, thus leaving them vulnerable to further cyberattacks, fraud, and data theft.

Dubbed 'Switcher Trojan', the malware uses unsuspecting Android device users as tools to redirect all traffic from Wi-Fi connected devices on the network into the hands of cybercriminal attackers.

The researchers at Kaspersky Lab said this is the first time Android malware has been used to attack routers like this. The malware attempts to infiltrate the router's admin interface by using a long, predefined list of password and login combinations -- a task which is made easy if the router still uses easily crackable default credentials.

If the attack succeeds, Switcher alters the Domain Name Servers (DNS) settings of the router, making it possible to reroute DNS queries on the infected network onto a network controlled by the perpetrators.

This type of DNS-hijacking attack allows the perpetrators to monitor all traffic on the infected network, providing them with vast swathes of information which could be used to carry out other cybercriminal or malicious activities.

According to figures on the cybercriminals' command and control servers -- seemingly left open to view by accident -- 1,280 Wi-Fi networks have been infiltrated using Switcher Trojan, putting traffic of all users on those networks at risk of being accessible to hackers and cyber fraudsters. The bad news is, even if the attack is detected, it can be difficult to remove the infection, thanks to the backup servers.

"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on," says Kaspersky Lab cybersecurity researcher Nikita Buchka.

Switcher Trojan currently appears to be mainly restricted to targeting internet users in China, spreading itself in two different ways.

The first uses a modified URL to disguise itself as a mobile client for the Chinese search engine Baidu, while a second technique is based around a fake version of a popular Chinese mobile application for sharing information about networks between users.

In both cases, the malicious software is installed due to users downloading applications from third-party sources, rather than the official Google Play store.

One of the key methods to avoid becoming victim to this sort of attack is to change the default login and password your network router. Google had not responded to a request for comment at the time of publication.

Read more on cybercrime

Editorial standards