Since the inception of the internet, domain name system (DNS) remains the bane of cyber safety experts everywhere. Its utilitarian design, though guarantying high functionality, comprises harshly on defenses. DNS security is thus an area of networking that users should pay more attention to. Incidentally, or rather ironically, it remains the area where the least amount of interaction. Taking advantage of this, hackers frequently target the DNS in order to harm devices or steal data.
What is Switcher Trojan?
Android Trojan, or more popularly, Switcher Trojan is a malware designed to hack into users’ WiFi and take control of their network via the DNS. Detected by Researchers at Kaspersky Lab, the malware has two versions – a copy of Chinese search engine Baidu’s mobile version and another, a fraudulent version of an app that is used for locating and sharing WiFi information among users. Together, these two have attacked over 1,280 wireless networks, most of which were based in China.
How does it work?
Once a victim has downloaded either of the two malicious apps, the trojan sends a report to a command-and-control (C&C) server along with a network ID. Unlike most malwares, Android Switcher doesn’t steal data from the user it has infiltrated, instead it works on corrupting the entire network, thereby making the user an unwitting accomplice to the hack.
The trojan relies on brute force method to try and guess the password, and thus, login to the web UI of the router. It tries various credentials till a match is found. For now, this method works only on TP-Link routers. If the attack is successful, the malware then swaps the router’s ISP provided DNS with its own rogue version. This means that the router no longer knows how to redirect the domain name provided by the user. As a precautionary measure, it also configures a legitimate Google DNS (18.104.22.168) as a secondary DNS in case the malicious server crashes. Thus, the user doesn’t detect anything suspicious.
What does this mean for you?
To access any website, we usually enter its URL into the search bar. A website, however, is not actually linked to this name. It is linked to an IP address provided by the IANA upon request. DNS or Domain Naming Service links the entered website name (or domain name) with its logical address and retrieves the information to make the webpage available to us.
Once the domain is compromised, however, attackers can use rogue domains to lure unsuspecting users into any webpage of their choice. You may enter google.com, and you may see a page that looks exactly like google.com, but the data you enter will not go to google, but to a separate database maintained by the creators of the malware. They can now retrieve analyze and use any information you enter. This is DNS Hijacking.
How to protect yourself
Brute force method of hacking is not a sophisticated one. It relies primarily on the user’s lack of knowledge and the resulting vulnerability of a router. Most users never change their default passwords and hence it becomes very easy to crack them. A strong password consisting of alphabets, digits, and special characters, may take years to guess and thus will never be hacked.
Another good rule of thumb is to never download unsafe apps. APKs available from third party sites are often malicious. When in doubt, stick to the official play store.
And, finally, always invest in a good antivirus software. Malwares like this one can easily be detected by robust antivirus systems. Update your virus definitions periodically and you should be safe from most softwares trying to harm your device and resources.