Kaspersky has warned of an Android Trojan that uses compromised devices to conduct brute-force attacks against WiFi routers.
Dubbed the Switcher Trojan, it is distributed via fake versions of popular apps and, rather than exploiting compromised devices directly, seeks to take control of WiFi routers in order to re-direct traffic.
Once infected via the fake apps, Switcher tries to brute-force access to the WiFi network's router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server.
This server fools the devices into communicating with websites controlled by the attackers, leaving users vulnerable to phishing, malware, adware and other attacks. A successful attack can be hard to detect, warns Kaspersky, and even harder to eradicate.
The Trojan has not yet become widespread, with figures dredged from the malware creators' own command-and-control server indicating that around 1,280 wireless networks have been compromised so far, mostly in China.
Switcher is currently distributed as a fake app for the popular Chinese search engine Baidu, or an app popular in China for enabling users to share information about WiFi networks. The server that hosts a web site built by the malware authors to promote and distribute one of the apps also doubles as the malware authors' command-and-control (C&C) server.
Kaspersky pulled the figures for the number of infections directly from an inadvertently open part of this website.
"The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks," warned Nikita Buchka, mobile security expert, Kaspersky. He continued: "It does not attack users directly.
Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection.
"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, a secondary DNS server is on hand to carry on."
The following graphic illustrates how the DNS infection works:
A check of a router's DNS settings is an easy way to check infection. If it's pointing to any one of the following IP addresses, then you have a problem, warn Kaspersky:
Once infected via the fake apps, Switcher tries to brute-force access to the WiFi network's router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server.
This server fools the devices into communicating with websites controlled by the attackers, leaving users vulnerable to phishing, malware, adware and other attacks. A successful attack can be hard to detect, warns Kaspersky, and even harder to eradicate.
The Trojan has not yet become widespread, with figures dredged from the malware creators' own command-and-control server indicating that around 1,280 wireless networks have been compromised so far, mostly in China.
Switcher is currently distributed as a fake app for the popular Chinese search engine Baidu, or an app popular in China for enabling users to share information about WiFi networks. The server that hosts a web site built by the malware authors to promote and distribute one of the apps also doubles as the malware authors' command-and-control (C&C) server.
Kaspersky pulled the figures for the number of infections directly from an inadvertently open part of this website.
"The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks," warned Nikita Buchka, mobile security expert, Kaspersky. He continued: "It does not attack users directly.
Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection.
"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, a secondary DNS server is on hand to carry on."
The following graphic illustrates how the DNS infection works:
A check of a router's DNS settings is an easy way to check infection. If it's pointing to any one of the following IP addresses, then you have a problem, warn Kaspersky:
- 101.200.147.153;
- 112.33.13.11;
- 120.76.249.59.
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon