Switcher – Android Malware Seize Routers’s DNS Settings: A new Android Trojan was identified by malware researchers at Kaspersky Lab’s.
This trojan is bit special instead of attacking the user, it attacks the wireless router that user is connected to and execute a DNS Robbery attack.
Malware AndroidOS Switcher, carry out a brute force attack on the router’s admin panel if the attacks succeeded then the malware can change the IP address of the DNS servers in the router.
By Changing the DNS servers attackers can re-route the traffic to servers operated by cyber criminals. This process of overthrow is referred as DNS-hijacking.
As per Kaspersky lab’s to date, they have identified two versions of trojans.
acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi
The first version (com.baidu.com), impersonate itself as a mobile client for the Chinese search engine Baidu, simply opening a URL http://m.baidu.com inside the application.
The second version is a well-made imitation of a popular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi networks (including the security password) between users of the app.
Cyber criminals even created a website (though badly made) to advertise and distribute the aforementioned fake version of com.snda.wifilocating. The web server that hosts the site is also used by the malware authors as the command-and-control (C&C) server.
admin:00000000, admin:admin, admin:123456, admin:12345678, admin:123456789, admin:1234567890, admin:66668888, admin:1111111, admin:88888888, admin:666666, admin:87654321, admin:147258369, admin:987654321, admin:66666666, admin:112233, admin:888888, admin:000000, admin:5201314, admin:789456123, admin:123123, admin:789456123, admin:0123456789, admin:123456789, admin:11223344, admin:123123123.
The domain name system (DNS) maps internet domain names to the internet protocol(IP).
Cybercriminals change the victim’s (which in our case is the router) TCP/IP settings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server.
You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network to use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router.
The cyber criminals were not cautious enough and left their internal infection statistics in the open part of the C&C website.
The Trojan.AndroidOS.Switcher does not attack users directly. Instead, it targets the entire network, exposing all its users to a wide range of attacks – from phishing to secondary infection.
The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked.
Even if the rogue DNS servers are disabled for some time, the secondary DNS which was set to 8.8.8.8 will be used, so users and/or IT will not be alerted.
We recommend that all users check their DNS settings and search for the following rogue DNS servers:
If you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi network.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…
View Comments