ThreatSTOP Blog

Switcher Android Malware - The Road From Android App to Hijacking DNS Server

Written by ThreatSTOP Security Team | January 12, 2017

One of the most recent campaigns highlighting the importance of router security is Mirai (The botnet that had large scale attacks by infected IoT devices). Even before this, reports emphasized the importance and vulnerability of these devices. For example, Report by Malware Researcher Kafeine revealed the use of an exploit kit aimed to exploit routers. This method showed Google Chrome users were redirected to a malicious server that loaded code designed to determine router models. (While changing the DNS servers configured to the router)

Another recently reported attack, targeted at routers and initially reported by Kaspersky, resulted in hijacking the DNS configured to the infected router. This campaign differs from Kafeine’s because of its initial step: The download of the malicious app, containing the malware, to an android device by the user. These apps are imitations of well-known Chinese services, like Baidu, the Chinese search engine. After the malware is downloaded, it executes a brute-force password predicting the attack on the router’s admin web interface. If it succeeds, it changes the DNS servers configured in the exploited router.

We recommend changing your router passwords if they are similar to the passwords published by Kaspersky.

Both ThreatSTOP IP Firewall Service and DNS Firewall Service customers are protected from Switcher Android Malware if they enable the TS Critical targets in their policies.

 

ThreatSTOP is proud to announce that our DNS Firewall Service has won the 2016 IoT Breakthrough Award for IoT Enterprise Security Innovation of the Year. ThreatSTOP’s IP and DNS Firewall Services deliver scalable, security layers and actionable threat intelligence to existing devices, DNS Servers and firewalls. Read more about ThreatSTOP’s services and the IoT award here.