Switcher Android Trojan Infects Routers

The Switcher Android Trojan is a new malware threat that uses DNS hijacking attacks against routers to gain entry to target internal networks.

Switcher Is a Sophisticated Android Trojan

Recently we have witnessed a spike in dangerous and evolved Android threats. Such is the recent discovery of the Switcher Trojan.

It uses a nonstandard method of infection. Instead of targeting the local users in attacks the Wi-Fi network by instituting a brute-force attack on the router. The threat is programmed in a such a way that it compromises the web administrative interface of the network device.

It then performs a DNS hijacking attack by changing the DNS queries to a remote malicious DNS server.

There have been two versions that are identified as distinct iterations:

  1. acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com – This version disguises itself as a mobile client for the Baidu search engine which is popular in China.
  2. 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi – This is a well-made counterfeit version of a popular Chinese application which is used for sharing information about Wi-Fi networks.

The criminal operators of the Switcher Android Trojan have even crafted a site that promotes the two malware samples. It also serves as the remote malicious C&C server.

Switcher Android Trojan Infection Process

The malware follows a built-in pattern which is used to infect the target hosts.

  1. Switcher gets the BSSID of the target network and informs the remote C&C server that the virus is about to be launched against it. BSSID is the broadcast SSID which is the Wi-Fi network name that the devices use to connect to it.
  2. The Trojan tries to get the name of the Internet Service Provider (ISP) and determine which rogue DNS servers to use for the hijacking attack. Three different servers have been identified in the analyzed samples – – 101.200.147.153, 112.33.13.11 and 120.76.249.59.
  3. A brute-force attack against the network routers is performed using the following predefined credentials list:

    admin:00000000
    admin:admin
    admin:123456
    admin:12345678
    admin:123456789
    admin:1234567890
    admin:66668888
    admin:1111111
    admin:88888888
    admin:666666
    admin:87654321
    admin:147258369
    admin:987654321
    admin:66666666
    admin:112233
    admin:888888
    admin:000000
    admin:5201314
    admin:789456123
    admin:123123
    admin:789456123
    admin:0123456789
    admin:123456789a
    admin:11223344
    admin:123123123

  4. Switcher gets the address of the default gateway and tries to access it via an embedded browser. Using JavaScript code it tries to use different login passwords to gain access to the devices. The malware samples showcase that the built-in list is built to target TP-Link Wi-Fi routers.
  5. If the attack is successful the virus changes the primary DNS server to a rogue one that is controlled by the criminals. The secondary address is changed to Google’s public servers which is used to ensure a stable connection if for some reason the primary server goes down.
  6. Switcher reports to the remote C&C server.

    How To Protect Yourself From Switcher

    You can check if you are infected by Switcher by looking at your router configurations screen. If you see that the primary DNS server is changed to one of the rogue servers, then you probably are hit by the virus. Here are the server addresses once again:

    • 101.200.147.153
    • 112.33.13.11
    • 120.76.249.59

    In addition do not download .apk files from outside sources other than Google Play!. In some of the cases the virus can also be loaded via a computer installation.

    We can recommend a trusted anti-spyware solution that can identify, remove and protect your computer from such malware. The tool can identify the Android malware package once its downloaded from the malicious site and alert the user that its a malware before they can transfer it over to the smart device.

    SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

    Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *