New Android Malware Hijacks Router DNS from Smartphone

Source:  http://thehackernews.com/2016/12/android-dns-malware.html

android-dns-malware

Another day, another creepy malware for Android users!

Security Researchers have uncovered a new Android malware targeting your devices, but this time instead of attacking the device directly, the malware takes control over the WiFi router to which your device is connected to and then hijacks the web traffic passing through it.

Dubbed “Switcher,” the new Android malware, discovered by researchers at Kaspersky Lab, hacks the wireless routers and changes their DNS settings to redirect traffic to malicious websites.

Over a week ago, Proofpoint researchers discovered similar attack targeting PCs, but instead of infecting the target’s machines, the Stegano exploit kit takes control over the local WiFi routers the infected device is connected to.

Switcher Malware carries out Brute-Force attack against Routers

Hackers are currently distributing the Switcher trojan by disguising itself as an Android app for the Chinese search engine Baidu (com.baidu.com), and as a Chinese app for sharing public and private Wi-Fi network details (com.snda.wifilocating).

Once victim installs one of these malicious apps, the Switcher malware attempts to log in to the WiFi router the victim’s Android device is connected to by carrying out a brute-force attack on the router’s admin web interface with a set of a predefined dictionary (list) of usernames and passwords.

“With the help of JavaScript [Switcher] tries to login using different combinations of logins and passwords,” mobile security expert Nikita Buchka of Kaspersky Lab says in a blog post published today.

“Judging by the hard coded names of input fields and the structures of the HTML documents that the trojan tries to access, the JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers.”

Switcher Malware Infects Routers via DNS Hijacking

router-dns-android-malware

Once accessed web administration interface, the Switcher trojan replaces the router’s primary and secondary DNS servers with IP addresses pointing to malicious DNS servers controlled by the attackers.

Researchers said Switcher had used three different IP addresses – 101.200.147.153, 112.33.13.11 and 120.76.249.59 – as the primary DNS record, one is the default one while the other two are set for specific internet service providers.

Due to change in router’s DNS settings, all the traffic gets redirected to malicious websites hosted on attackers own servers, instead of the legitimate site the victim is trying to access.

“The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection,” the post reads.

“A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on.”

Researchers were able to access the attacker’s command and control servers and found that the Switcher malware Trojan has compromised almost 1,300 routers, mainly in China and hijacked traffic within those networks.

The Bottom Line

Android users are required to download applications only from official Google’s Play Store.

While downloading apps from third parties do not always end up with malware or viruses, it certainly ups the risk. So, it is the best way to avoid any malware compromising your device and the networks it accesses.

You can also go to Settings → Security and make sure “Unknown sources” option is turned off.

Moreover, Android users should also change their router’s default login and passwords so that nasty malware like Switcher or Mirai, can not compromise their routers using a brute-force attack.

Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.
Advertisements

♥Thanks for sharing♥

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s