A new Android trojan targets wireless routers and performs DNS hijacking instead of attacking users directly.
Kaspersky Lab found that the trojan, dubbed Trojan.AndroidOS.Switcher, generally adopts one of two disguises. The first facade (com.baidu.com) is a fake mobile client for the Chinese search engine Baidu. The second (com.snda.wifi) is a fake version of another app that allows users to share information about public Wi-Fi networks.
Once a user downloads one of the two camouflaged applications, Switcher gets to work. It first obtains the BSSID, or the MAC address of the wireless access point (WAP), and informs its command and control (C&C) server. It then tries to identify the ISP to determine which of its three rogue DNS servers it should use: 22.214.171.124, 126.96.36.199, and 188.8.131.52.
Next, the trojan performs a brute-force attack using a number of predefined usernames and passwords. As of this writing, its attack code works against only TP-LINK Wi-Fi routers.
Attackers can use those two rogue DNS servers to steer anyone who accesses the web through the compromised router away from their desired destination. If a user searches for Google.com, for example, the bad actors can redirect them to a site that’s laden with malware under their control. Alternatively, they can save all of a user’s search results and web traffic.
Submitted by: Arnfried Walbrecht