SECURITY OUTFIT Kaspersky has sounded the warning klaxon over a new form of Android malware that uses compromised devices to attack and take over WiFi routers, dubbed the Switcher Trojan.
The Trojan is distributed via fake versions of popular apps but, cunningly, does not attack hapless Android users directly. Instead, it uses them as tools to compromise insecure WiFi routers, which in turn can be used to re-direct traffic for fun and profit.
Once infected via the fake apps, Switcher tries to brute-force access to the WiFi network's router and then changes its DNS settings to redirect traffic from devices connected to the network to a rogue DNS server.
This server fools the devices into communicating with websites controlled by the attackers, leaving users vulnerable to phishing, malware, adware attacks and lots of other unpleasantness. A successful attack can be hard to detect, warns Kaspersky, and even harder to eradicate.
But the good news (from a purely Euro-centric perspective) is that while the attackers claim to have successfully infiltrated 1,280 wireless networks so far, most of those are in China.
The Trojan is distributed as a fake app for the popular Chinese search engine Baidu, or an app popular in China for enabling users to share information about Wi-Fi networks. The server that hosts a web site built by the malware authors to promote and distribute one of the apps also doubles as the malware authors" command-and-control (C&C) server.
Kaspersky's estimate of the number of infections ought to be pretty accurate (rather than the usual finger-in-the-air guestimate) because the authors handily provide infection statistics on an inadvertently open part of this website.
"The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks," warned Nikita Buchka, mobile security expert, Kaspersky. He continued: "It does not attack users directly.
Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks - from phishing to secondary infection.
"A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, a secondary DNS server is on hand to carry on."
The following handy graphic illustrates how the DNS infection works:
A check of a router's DNS settings is a quick and easy way to check infection. If it's pointing to any one of the following IP addresses, then you have a problem, warn Kaspersky:
Sadly that doesn't include offering you a beer
It's like the Hokey Cokey only for the stock market
FruityArmor and SandCat have already made use of the privilege escalation bug
A small village in Siberia will eat well tonight