Switcher Android banking Trojan, disclosed by Kaspersky Lab researchers in December 2016, targets Android devices in order to take over their local WiFi routers and intercept the web traffic passing through them. Most victims are located in China and users are infected by downloading the cloned version of the Baidu Android app or by downloading an application used for sharing username and passwords for public WiFi networks. Once the device is infected and connected to a WiFi network, the Trojan communicates to its C2 server and reports that it has been activated on a network and provides that network ID. Switcher then hacks into the WiFi router, testing various admin credentials to log in. In December, the Trojan was only known to be successful against TP-Link routers. If it guesses the right credentials, it changes the legitimate default DNS server address to a malicious one. To evade suspicion, the Trojan sets a legitimate Google DNS server as the secondary DNS so the victim does not notice when the malicious DNS server is down. Devices typically get their network settings from the wireless networks they connect to, therefore compromising all the devices using the malicious DNS server by default. Switcher reports its success to the C2 server. According to Kaspersky Lab, the malware had infected 1,280 wireless networks in less than four months. Users can protect themselves against this attack by applying the right settings to their router, including changing the default password to a sophisticated one, not installing apps outside official app stores, and using an antivirus app on mobile devices.

Technical Details

  • Kaspersky Lab provides analysis on the Switcher mobile malware, available here.

One example of the Switcher variant. Image Source: Kaspersky Lab