WavebreakMediaMicro - Fotolia

Switcher Android Trojan: How does it attack wireless routers?

The Switcher Trojan spreads to Android devices through the wireless router to which they are connected. Expert Nick Lewis explains how this attack is carried out.

Kaspersky Lab researchers found a new Android Trojan called Switcher that uses victims' devices to infect the Wi-Fi routers they are connected to in order to further attack other devices on that network. How does this attack work on routers? Is there anything that can be done to protect them?

The Switcher Android Trojan attacks network settings rather than just targeting an endpoint -- a method that enables it to infect all of the systems using the network.

Kaspersky Lab has documented how the Switcher Android Trojan uses a malicious mobile application to attack wireless routers that have insecure default configurations. A user is tricked into installing the malicious Switcher mobile app, which then tries to brute force guess the administrator password of the wireless access point to which the device is connected. If the Switcher Android Trojan manages to guess the admin password, it changes the domain name system (DNS) server settings used by the embedded Dynamic Host Configuration Protocol (DHCP) server in the wireless access point.

DHCP servers are typically used on wireless access points to make it easier to configure the network settings for mobile devices. Once the DNS server settings are changed, additional devices that connect to the wireless network and that use DHCP to get the IP configuration settings will be rerouted to the malicious DNS server. The malicious DNS server can be used for man-in-the-middle attacks, to serve up ads and more.

There are several different aspects to this switcher Android Trojan attack against which networks need to be secured. The wireless access point can be secured with the same steps used to prevent Chameleon malware. Endpoints can have their DNS settings manually set, but that would minimize the benefit of using DHCP.

Enterprises can detect the malware on their networks by monitoring for connections to the rogue DNS servers listed by Kaspersky. Enterprises should also monitor their networks for rogue DHCP servers. And, as always, users should be cautious about which mobile apps they download, even if they are from a legitimate app store. 

Next Steps

Read about the Triada Android Trojan's ability to replace a device's system functions

Find out how Exaspy spyware is able to hide on Android devices

Learn how an Android backdoor was created in devices using Ragentek firmware

This was last published in May 2017

Dig Deeper on Threats and vulnerabilities