Switcher Android Trojan Breaks into TP-Link Routers, Reconfigures Domain Name Servers

One fresh Trojan called "Switcher" designed for Android smart-phones utilizes the target devices for contaminating WiFi routers while directs end-users of a shared network onto malware-ridden websites. The Trojan does not infect end-users straight away rather it works to enable more assaults via making victims act as partners in the crime. Threatpost.com posted this online dated December 28, 2016.

The Android Trojan first came to the notice of Kaspersky Lab that the security company dubbed Trojan.AndroidOS.Switcher. This malware, after determining it is installed on any attacked wireless network, brute forces into the password of local WiFi router. Once done, Switcher reconfigures DNS servers of the default kind to become the Trojan's own servers. Thereafter, nearly all forms of assaults become possible against remaining devices on the particular network.

The Trojan in one version imitates one mobile client in the way to access Baidu the popular search engine of China. One more camouflages an application which helps find and share the login credentials of the WiFi router. Downloading either of the two versions leads the Trojan act towards compromising the router.

Notably according to mobile malware examiner Nikita Buchka of Kaspersky, once Switcher is effectively planted onto a router, it makes end-users vulnerable to various kinds of assaults like phishing schemes. Changing routers' configuration is especially dangerous because the fresh configurations become immune to even the router's rebooting, while it's extremely hard for determining the hijacked state of the DNS. What's more, disabling the malicious DNS servers too is ineffective because the subsidiary DNS configured to 8.8.8.8 would become active, so no security system would get alerted.

Attackers, who configure the subsidiary DNS server for connecting with Google's DNS facility, make sure that no matter whether there isn't the malevolent DNS server that's their own, end-users wouldn't encounter any disruption.

Compromising DNS servers has been a malware technique from ancient past. Its purpose is to let attackers redirect end-users onto copycats of lawful websites that the criminals harbor via their own servers. The tactic helps the attackers to garner credentials for logging into social media accounts, banking portals, Internet stores etc.

» SPAMfighter News - 1/3/2017