This article is more than 1 year old

New Android-infecting malware brew hijacks devices. Why, you ask? Your router

1,280 Wi-Fi networks have fallen victim to the Switcher

Hackers have brewed up a strain of Android malware that uses compromised smartphones as conduits to attack routers.

The Switcher trojan does not attack Android device users directly. Instead, the malware uses compromised smartphones and tablets as tools to attack any wireless networks they connect to.

Switcher brute-forces access to the network's router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server, security researchers at Kaspersky Lab report.

This server fools the devices into communicating with websites controlled by the attackers, leaving users wide open to either phishing or further malware-based attacks.

The attackers claim to have successfully infiltrated 1,280 wireless networks so far, mainly in China.

The tactics in play are similar to those employed by a DNS Changer variant spotted by security researchers at Proofpoint last month. That nasty spread through JavaScript code in malicious ads, whereas Switcher uses a different mode of attack.

The infection is spread by users downloading one of two versions of the Android Trojan from a website created by the attackers. The first version is disguised as an Android client of the Chinese search engine, Baidu, and the other is a counterfeit version of a popular Chinese app for sharing information about Wi-Fi networks.

"The attackers have built a website to promote and distribute the Trojanised Wi-Fi app to users," according to Kaspersky Lab. "The web server that hosts this site doubles as the malware authors' command-and-control (C&C) server. Internal infection statistics spotted on an open part of this website reveal the attackers' claims to have compromised 1,280 websites – potentially exposing all the devices connected to them to further attack and infection."

A write-up of the Switcher malware can be found on Kaspersky Lab's Securelist blog here. ®

More about


Send us news

Other stories you might like