New Android Trojan Hijacks Routers

Normally when hackers want to attack a router, they attempt to compromise the router directly.  They try default passwords or a list of passwords;  they look for software vulnerabilities. Maybe patches that haven’t been applied.

Another approach is to compromise a device inside the network and use that device to compromise the router from the inside.

So how might you do that?

In this case, you use a Trojan called Switcher.  Two fake apps that Kaspersky Labs has found with the malware inside them  are a Baidu search engine app and a WiFi information sharing app.  Both of these apps were found in China, but now that the idea is out in the wild, anyone could replicate it.

First you have to get a user to download a compromised app.  That, often, turns out not to be very hard.  Users love apps;  even malicious ones.  Promise them anything, but get them to install the app.

Once the app is installed and when the user connects to a WiFi access point, the app attempts to attack the access point using default WiFi admin passwords.  A next generation of this malware could use a more sophisticated attack scenario.

Once the access point is compromised, the malware changes the primary and alternate DNS server address in the access point.  The DNS server is the part of the Internet that translates web site names to IP addresses that Internet runs on.

Once it has compromised the DNS server address, any web site that you go to could be redirected by the attacker’s DNS server to a fake copy of a real web site, stealing login information from the user.

As if that was not bad enough, it gets worse – much worse.

Since it is compromising a public WiFi access point, effectively, any user that connects to that access point is compromised, whether they installed the rogue software or now.  If it infects a Starbucks WiFi access point and that WiFi serves a thousand users a day, they are all compromised.  BINGO!

For now, the malware has only been seen in China, but given the potential upside of this attack, do not expect that to be limited to China for long.

So what can you do?

First, be very careful about what apps you install.  Make sure that it is from a reputable store.  Look at how long it has been out.  Apps, like fine wine, age well.  New apps are less likely to have been scrutinized.  Look at the reviews.  Few to no reviews is a red flag.

Second, avoid WiFi unless you know the WiFi.  Remember, if anyone connected to that WiFi access point and they were infected, that WiFi access point is infected – likely forever.  Even if you reboot it, the malicious code persists.

In particular, avoid public WiFi.  Starbucks, retail stores, hotels.  For them, WiFi is a service that lures you in to buy something.  They don’t make any money from the WiFi itself, so they are less likely to manage it well.  Hotels typically outsource their WiFi management and that company is typically looking at their bottom line.  The less they have to even look at any given hotel property, the more money they make.  In retail, money talks and if they can outsource the management of the public WiFi in a hundred or a thousand stores to a provider in a third world country and save money, they may do it.  The quality may go down, but that is the tradeoff.

And oh yeah.  Just because you are using an iPhone, if you think you are safe, you are not.  Once the WiFi access point is infected, anything that connects to it will be compromised.  Phone, tablet, laptop, Windows, MacOS, Linux, iOS, Android or anything else.  It makes no difference, because what is infected is basically part of the Internet infrastructure.

So as I always say. Security or convenience, pick one.  Public WiFi is convenient.  But not secure.

Information for this post came from Dark Reading.

Leave a Reply

Your email address will not be published.