An Android trojan named Switcher (Trojan.AndroidOS.Switcher) targets Android devices in order to take over local WiFi routers and hijack the web traffic passing through them.

Discovered by security researchers from Kaspersky Lab, this trojan is currently distributed among Chinese users as a clone of the official Baidu Android app (com.baidu.com), and as an application for sharing details and passwords about public and private WiFi networks (com.snda.wifilocating).

Switcher brute-forces local WiFi routers

The way this trojan works is by collecting information on the user's WiFi network after infecting a phone or tablet.

Switcher sends this information to a public C&C server, which determines the user's ISP and decides on what DNS records to use at a later stage.

Once the trojan gets the go-ahead from its C&C server, Switcher attempts to login on the user's home WiFi router by trying a set of default admin credentials. The full list is available below:

admin:00000000

admin:admin

admin:123456

admin:12345678

admin:123456789

admin:1234567890

admin:66668888

admin:1111111

admin:88888888

admin:666666

admin:87654321

admin:147258369

admin:987654321

admin:66666666

admin:112233

admin:888888

admin:000000

admin:5201314

admin:789456123

admin:123123

admin:789456123

admin:0123456789

admin:123456789a

admin:11223344

admin:123123123

Different router models utilize these username-password combos for their admin accounts, but researchers say that based on the authentication method employed, the attack will only be successful against WiFi routers manufactured by TP-Link.

Switcher hijacks the routers' DNS records

Once the trojan has authenticated on a local router, it goes on to modify the router's DNS settings with the IP address received from the C&C server. According to Kaspersky, until now, Switcher has used three different IP addresses as the primary DNS record.

101.200.147.153 112.33.13.11 120.76.249.59

The router's role is to broadcast these DNS settings to all the computers that want to connect. Users should check their DNS settings and see if their computer or phone uses one of these three IPs.

Additionally, Switcher also sets the secondary DNS server to 8.8.8.8 (Google public DNS server), in case the malicious DNS server goes down. This keeps the user's Internet connection running until crooks migrate victims to a new DNS server.

Hijacking DNS settings simplifies phishing operations

Hijacking DNS servers is an ancient malware technique, used by multiple families in the past. The reason behind hijacking DNS servers is to re-route users to clones of legitimate websites, hosted on the crooks' own servers.

This way, the attacker can collect login credentials for banking portals, social media profiles, online stores, and others.

More recently, exploit kits such as Stegano have also started targeting home routers, in order to hijack web traffic and insert unwanted ads.

Public folder on the Switcher C&C server [Source: Kaspersky Lab]

Kaspersky Lab malware analyst Nikita Buchka said the Switcher group forgot to protect their C&C server from public access, which allowed analysts to take a loot at their operation from within.

He says he was able to access the C&C server folders, where he found evidence that the Switcher malware had infected 1,280 routers and hijacked traffic within those networks.