The Switcher Android Trojan is a new malware threat that uses DNS hijacking attacks against routers to gain entry to target internal networks.
Switcher Is a Sophisticated Android Trojan
Recently we have witnessed a spike in dangerous and evolved Android threats. Such is the recent discovery of the Switcher Trojan.
It uses a nonstandard method of infection. Instead of targeting the local users in attacks the Wi-Fi network by instituting a brute-force attack on the router. The threat is programmed in a such a way that it compromises the web administrative interface of the network device.
It then performs a DNS hijacking attack by changing the DNS queries to a remote malicious DNS server.
There have been two versions that are identified as distinct iterations:
- acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com – This version disguises itself as a mobile client for the Baidu search engine which is popular in China.
- 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi – This is a well-made counterfeit version of a popular Chinese application which is used for sharing information about Wi-Fi networks.
The criminal operators of the Switcher Android Trojan have even crafted a site that promotes the two malware samples. It also serves as the remote malicious C&C server.
Switcher Android Trojan Infection Process
The malware follows a built-in pattern which is used to infect the target hosts.
- Switcher gets the BSSID of the target network and informs the remote C&C server that the virus is about to be launched against it. BSSID is the broadcast SSID which is the Wi-Fi network name that the devices use to connect to it.
- The Trojan tries to get the name of the Internet Service Provider (ISP) and determine which rogue DNS servers to use for the hijacking attack. Three different servers have been identified in the analyzed samples – – 101.200.147.153, 112.33.13.11 and 120.76.249.59.
- A brute-force attack against the network routers is performed using the following predefined credentials list:
admin:00000000
admin:admin
admin:123456
admin:12345678
admin:123456789
admin:1234567890
admin:66668888
admin:1111111
admin:88888888
admin:666666
admin:87654321
admin:147258369
admin:987654321
admin:66666666
admin:112233
admin:888888
admin:000000
admin:5201314
admin:789456123
admin:123123
admin:789456123
admin:0123456789
admin:123456789a
admin:11223344
admin:123123123 - Switcher gets the address of the default gateway and tries to access it via an embedded browser. Using JavaScript code it tries to use different login passwords to gain access to the devices. The malware samples showcase that the built-in list is built to target TP-Link Wi-Fi routers.
- If the attack is successful the virus changes the primary DNS server to a rogue one that is controlled by the criminals. The secondary address is changed to Google’s public servers which is used to ensure a stable connection if for some reason the primary server goes down.
- Switcher reports to the remote C&C server.
How To Protect Yourself From Switcher
You can check if you are infected by Switcher by looking at your router configurations screen. If you see that the primary DNS server is changed to one of the rogue servers, then you probably are hit by the virus. Here are the server addresses once again:
- 101.200.147.153
- 112.33.13.11
- 120.76.249.59
In addition do not download .apk files from outside sources other than Google Play!. In some of the cases the virus can also be loaded via a computer installation.
We can recommend a trusted anti-spyware solution that can identify, remove and protect your computer from such malware. The tool can identify the Android malware package once its downloaded from the malicious site and alert the user that its a malware before they can transfer it over to the smart device.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Was this content helpful?
Share your opinion and help us improve our guides.