How ‘Switcher’ Malware Moves an Attack from Your Phone to Your Router

Why attack one device when you can get inside an entire network and manipulate every device connected to it? That’s ‘Switcher’ malware’s motto – the newest Android Trojan threat. It uses unsuspecting Android devices as tools to redirect all traffic from Wi-Fi connected devices on a given network to one owned by a cybercriminal, putting those gadgets directly into the hands of attackers.

The malware variant begins its attack by first infecting an unsuspecting phone by masking itself as a mobile app. Two masks have been seen in use so far: one in which the malware disguises itself as an app for Baidu (the search engine), and another where it appears within an app that locates and shares Wi-Fi information.  Once in, it then performs brute-force attacks on the router it’s connected to in an attempt to crack its password. If it gets inside successfully, the malware changes the addresses of the DNS server (an Internet service that translates domain names into IP addresses) in the router’s settings. This then reroutes all DNS activity from devices in the attacked Wi-Fi network to the servers of the cybercriminals — such an attack is also known as DNS hijacking.

If a cybercriminal can hijack a DNS server, all devices connected to it (think the mobile phone and laptop connected to your home Wi-Fi network) will unknowingly interact with the malicious server, making them openly susceptible to attack. Meaning, any device connecting to that network at any time could be compromised, leaving mounds of personal data vulnerable.

The good news? Only 1,280 Wi-Fi networks have fallen victim to the attack. The bad news however, is that even if the attack is detected, it can be difficult to remove the infection, thanks to backup servers cybercriminals may have in place.

So how exactly is this attack possible? Two words: default credentials. The ‘Switcher’ Trojan is said to succeed in its initial infiltration by using a long, predefined list of password and login combinations—a task which is made far too easy if the router still uses easily hackable, default credentials.

So, what can you do to stay protected against router-based attacks like these? First off, it’s crucial to change default router passwords so your network—and all devices connected to it—aren’t susceptible to a breach. Remember: if hackers can get into a router, it’s like giving them the keys to your entire, connected kingdom of devices. Here are a few more tips for fighting a DNS hijacking attack, to keep in your back pocket:

  • Be careful of what devices connect to your network. Just because the ‘Switcher’ malware isn’t on your phone, doesn’t mean it couldn’t be on a visitor’s Android phone who wishes to connect to your network. Be careful who you give your Wi-Fi password out to you, and make sure you know what devices are connecting to your network. Change your network password often, and make sure it’s long and complex.
  • Lock down your mobile. Since this attack begins by infiltrating a phone, it’s key to ensure your mobile device is protected from all angles. Look to security solutions that lock down your mobile from the inside out, like McAfee Mobile Security, which detects and blocks malware such as the ‘Switcher’ strain.



Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Mobile Security

Back to top