The Switcher Android Trojan is a new malware threat that uses DNS hijacking attacks against routers to gain entry to target internal networks.
Switcher Is a Sophisticated Android Trojan
Recently we have witnessed a spike in dangerous and evolved Android threats. Such is the recent discovery of the Switcher Trojan.
It uses a nonstandard method of infection. Instead of targeting the local users in attacks the Wi-Fi network by instituting a brute-force attack on the router. The threat is programmed in a such a way that it compromises the web administrative interface of the network device.
It then performs a DNS hijacking attack by changing the DNS queries to a remote malicious DNS server.
There have been two versions that are identified as distinct iterations:
- acdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com – This version disguises itself as a mobile client for the Baidu search engine which is popular in China.
- 64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi – This is a well-made counterfeit version of a popular Chinese application which is used for sharing information about Wi-Fi networks.
The criminal operators of the Switcher Android Trojan have even crafted a site that promotes the two malware samples. It also serves as the remote malicious C&C server.
Switcher Android Trojan Infection Process
The malware follows a built-in pattern which is used to infect the target hosts.
- Switcher gets the BSSID of the target network and informs the remote C&C server that the virus is about to be launched against it. BSSID is the broadcast SSID which is the Wi-Fi network name that the devices use to connect to it.
- The Trojan tries to get the name of the Internet Service Provider (ISP) and determine which rogue DNS servers to use for the hijacking attack. Three different servers have been identified in the analyzed samples – – 220.127.116.11, 18.104.22.168 and 22.214.171.124.
- A brute-force attack against the network routers is performed using the following predefined credentials list:
- If the attack is successful the virus changes the primary DNS server to a rogue one that is controlled by the criminals. The secondary address is changed to Google’s public servers which is used to ensure a stable connection if for some reason the primary server goes down.
- Switcher reports to the remote C&C server.
How To Protect Yourself From Switcher
You can check if you are infected by Switcher by looking at your router configurations screen. If you see that the primary DNS server is changed to one of the rogue servers, then you probably are hit by the virus. Here are the server addresses once again:
In addition do not download .apk files from outside sources other than Google Play!. In some of the cases the virus can also be loaded via a computer installation.
We can recommend a trusted anti-spyware solution that can identify, remove and protect your computer from such malware. The tool can identify the Android malware package once its downloaded from the malicious site and alert the user that its a malware before they can transfer it over to the smart device.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter