Report: New Android malware hijacks DNS

Switcher, a new malicious software package for Android phones discovered by security researchers, attacks the router running any Wi-Fi network the phone connects to, attempting to gain control over which Domain Name Server it uses.

By replacing the router’s DNS with a compromised one controlled by the attacker — known as DNS hijacking — Switcher enables all kinds of mischief directed against the network, or rather against any device that uses it, according to a blog post from Kaspersky threat researcher Nikita Buchka.

Buchka calls the malware “quite unique. Instead of attacking [the Android] user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.”

As soon as the phone is connected to a Wi-Fi network, the malware, described by Buchka as a trojan, “performs a brute-force password guessing attack on the router’s admin web interface” using a pre-programed list of 25 default logins and passwords.

“If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals.”

DNS is the system that looks up human-readable web addresses, like google.com and translates them into the numeric addresses that allow computers to reach the right place on the internet. Normally it works like this:

How the DNS system works (source: Kaspersky Labs)

But when Switcher swaps out the code in the router which tells it where to look up DNS, redirecting the requests to a rogue server controlled by the attackers, the process works like this:

How DNS hijacking works (source: Kaspersky Labs)

The victimized router will be fooled into communicating with a completely different internet address — and will force any devices connected to the network to do the same.

This could be a fake version of the destination website, saving all your password/login inputs and sending them to the attackers, “or it could just be a random website with a bunch of pop-up ads or malware. Or anything else,” writes Buchka. “The attackers gain almost full control over … all web traffic.”

DNS hijacking is not new, but its employment in this fashion is novel.

The hackers were careless enough to leave their infection counter on an open area of their command and control server, according to Buchka, showing that they had infected 1,280 Wi-Fi networks as of Dec. 28.

“The main danger of such tampering with routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find out that the DNS has been hijacked,” write Buchka.

The researchers say they have found two apps hosting the Switcher malware — one disguises itself as a mobile client for the Chinese search engine Baidu. The second is a well-made fake version of the popular WiFiMaster app for sharing information about Wi-Fi networks between users.