A new form of Android Trojan malware is capable of attacking the routers controlling the wireless networks of its victims, thus leaving them vulnerable to further cyberattacks, fraud, and data theft.
Dubbed 'Switcher Trojan', the malware uses unsuspecting Android device users as tools to redirect all traffic from Wi-Fi connected devices on the network into the hands of cybercriminal attackers.
The researchers at Kaspersky Lab said this is the first time Android malware has been used to attack routers like this. The malware attempts to infiltrate the router's admin interface by using a long, predefined list of password and login combinations -- a task which is made easy if the router still uses easily crackable default credentials.
If the attack succeeds, Switcher alters the Domain Name Servers (DNS) settings of the router, making it possible to reroute DNS queries on the infected network onto a network controlled by the perpetrators.
This type of DNS-hijacking attack allows the perpetrators to monitor all traffic on the infected network, providing them with vast swathes of information which could be used to carry out other cybercriminal or malicious activities.
According to figures on the cybercriminals' command and control servers -- seemingly left open to view by accident -- 1,280 Wi-Fi networks have been infiltrated using Switcher Trojan, putting traffic of all users on those networks at risk of being accessible to hackers and cyber fraudsters. The bad news is, even if the attack is detected, it can be difficult to remove the infection, thanks to the backup servers.
"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on," says Kaspersky Lab cybersecurity researcher Nikita Buchka.
Switcher Trojan currently appears to be mainly restricted to targeting internet users in China, spreading itself in two different ways.
The first uses a modified URL to disguise itself as a mobile client for the Chinese search engine Baidu, while a second technique is based around a fake version of a popular Chinese mobile application for sharing information about networks between users.
In both cases, the malicious software is installed due to users downloading applications from third-party sources, rather than the official Google Play store.
One of the key methods to avoid becoming victim to this sort of attack is to change the default login and password your network router. Google had not responded to a request for comment at the time of publication.
Read more on cybercrime
- Mirai botnet attack hits thousands of home routers, throwing users offline
- Now data-stealing Marcher Android malware is posing as security update
- Cybercrime Inc: How hacking gangs are modeling themselves on big business
- How DNS can be used to unmask Tor users
- Do not touch this one Android setting and most malware will leave you alone, mostly
- How to lock down an insecure wireless network router