Security researches at Kaspersky Lab have discovered an Android malware that attacks wifi routers — dubbed Switcher. This malware has so far been seen in two different disguises, as mobile client for the Chinese Baidu search engine, and as a popular Chinese app for sharing wifi information, including the password. These criminals set up fake websites to distribute the trojan.
Switcher tries to log in to the wifi router’s web interface, using a predefined list of default passwords. This attack was designed for TP-Link wifi routers; and may not work on other brands. Future trojans using this strategy will undoubtedly attack a wider variety of routers.
When successful, the router’s DNS settings are changed, to a server controlled by the criminals, and a secondary owned by Google, 18.104.22.168. The DNS (domain name server) is the computer that changes names like thegoldwater.com to an IP address, which is then used by internet protocols for communications. Rebooting the router will not help; the DNS settings are saved across reboots.
With the criminals in control of the DNS information, they can reroute your traffic wherever they want. All, or most of your web traffic will be directed to sites they control. You may think you’re accessing your bank’s website, when in fact you’re just looking at a copy controlled by criminals.
This also means that an infected phone or tablet that just drops by for a visit — even for a few seconds — will leave a lasting infection for everyone in the home or office.
Even videos streamed from youtube can be replaced with anything, including child pornography, and subsequently used for blackmail.
These types of attacks will work for any website and web service that is not sent over a secure connection, or h t t p s. However, due to lax security notifications in browsers, and many mobile apps with poor coding standards, even secure communications can be hijacked or bypassed.
The criminals use a command and control center, which gets notification for every attempt and successful infiltration. This could allow them to tailor attacks to specific individuals or organizations.
Since this attack is geared towards the router, everything that shares it is susceptible to future attacks, computers, printers, and iOS devices. For example, the criminals can set up a fake server for printer updates and before you know it, every printed or scanned, or even photocopied, document is also carbon copied to a criminal enterprise.
Future versions of router hijacks can in theory even rewrite IP addresses. That means people who rely on hard-coding the numeric addresses into their applications for “security reasons” are wide open to more sophisticated attacks.
We at The Goldwater echo Kaspersky Lab and recommend that Android users download their applications from the Google Play Store. We also cannot stress how important it is for everyone to change the default passwords on their routers.