Finding a new Android malware is no longer a surprise, and often doesn't even make it to the headlines. However, researchers at Kaspersky Lab have come across a new Android trojan which they are calling "quite unique."
This latest Android trojan dubbed as "Switcher" doesn't attack a userbut attacks the WiFi router the user is connected to. Switcher hacks wireless routers and changes their DNS settings to redirect traffic to malicious websites. Clever, right? Here's how it works.
Android trojan uses DNS hijacking to infect routers
The malware has been disguised as an Android client for the Chinese search engine Baidu and a Chinese app that is used for locating and sharing WiFi login information. Once users install any of these apps, the malware attempts to launch brute-force attacks to guess the password.
Known as DNS-hijacking, Switcher performs this brute-force password guessing attack on the router’s admin web interface. If it succeeds, the malware then changes theaddresses of the DNS servers in the router’s settings, rerouting all DNS queries from the connected devices to the servers of the attackers.
"With the help of JavaScript it tries to login using different combinations of logins and passwords. Judging by the hardcoded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers," Nikita Buchka of Kaspersky Lab said in ablog post.
Thisbrute-force attack is launched with a predefined dictionary of username and password combinations, includingadmin:admin, admin:123456,admin:1111111, admin:00000000, etc. If the interface is accessed, the Android trojan then replaces the device's primary and secondary DNS servers with IP addresses that point to rogue servers.
The DNS (Domain Name System) is used for resolving human-readable names (e.g. google.com) into an IP address. When attacked, the web router will communicate "with a completely different network resource. This could be a fake google.com, saving all your search requests and sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or malware." Following images show the differences in how these queries are processed.
2 of 9
"Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS," Buchka warned. "The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection."
zpostcode
Recruit
weather
mreligion
Yellowpages
sport
constellation
shopping
name
game
directory
literature
Word
tour
furnish
Lottery
tftnews
lyrics
News
digital
car
dir
Edu
Finance
