A new strain of malware has been discovered, which was seen targeting Android devices in order to hack into routers to further spread malicious activity online.
Called 'Switcher,' the malware, according to Kaspersky SecureLabs, is the first software to attack routers using Android as a vector. It will attempt to access a router's admin interface by brute-forcing its way in, using a predefined list of default router passwords.
The Switcher malware is reportedly targeting users in China, spreading itself through a fake Baidu mobile client, and another that shares information about Wi-Fi networks.
Once it makes its way in, Switcher will change the addresses of the DNS servers in the admin settings. At this point, it will now reroute queries from devices from the compromised Wi-Fi network to the servers of the cybercriminals. From there, they will now be able to further spread malicious activity, theft, and other compromising activities on the internet. SecureLabs researchers Nikita Bucka states:
"You may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most common configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same as its own, thus forcing all devices in the network use the same rogue DNS. So, after gaining access to a router’s DNS settings one can control almost all the traffic in the network served by this router."
Digging deeper in their investigation, they found that the cybercriminals' command and control (C&C) server were left public. They found that the malware has already successfully infiltrated 1,280 Wi-Fi networks. "If this is true, traffic of all the users of these networks is susceptible to redirection," says Buchka.
While the malware is limited to China, it reminds us to change the default credentials of our routers, in order to stay safe from any possible attacks from cybercriminals.