New Android Malware That can HiJack DNS and Infect WiFi Networks


Android users Always targeted by exploits and malicious applications. And now there’s another Android-Based Trojan found by Kaspersky Lab analysts known as Switcher Trojan on account of its capacity to firstly contaminate the gadget’s Wi-Fi switches and afterward switch clients of that tainted system to different tainted destinations. This implies, the Trojan doesn’t straightforwardly focuses on the clients however goes about as a facilitator of assaults that in the long run change over casualties into its co-schemer.


According to the Kaspersky Lab specialists, there are two versions of this malware that are currently infecting android users. Both the versions are being used to hack about 1,280 remote systems. The company’s portable security expert Nikita Buchka states that the vast majority of these contaminated systems are situated in China. One of the two versions professes to be a versatile customer for Baidu, a prevalent Chinese web index, while alternate shows up as a variant of an application that finds and shares WiFi login data.

New Android Malware That can HiJack DNS and Infect WiFi Networks

New Android Malware That can HiJack DNS and Infect WiFi Networks


When the victim downloads any of these malware versions, then after downloading the it immediately start executing it’s malicious code and start performing task such as brute-forcing to hack router password. Brute force perform in such a way that it utilize there own custom wordlist which contains 2 dozen username and password combinations which let it access the web interface of your router.

At the point when this is done the Switcher Trojan swaps out the DNS servers’ locations of the switch for a fake server that is being controlled by the attacker(s). The IP addresses utilized by the malware are, and There is an additional DNS too that proves to be useful for the aggressors when the fake one doesn’t perform or is recognised.

Afterward, all the requests from the devices that are made on the infected network are re-routed to the attackers’ servers. This action makes the victims vulnerable to all sorts of attacks including phishing, malware, redirection and adware.

Kaspersky Lab Researchers noted that:

“The ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name resolving system, such as internet traffic. The approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”

These attackers have so far infected 1,280 WiFi-Networks within few week’s and they didn’t make the sections of it’s command and control website too perfect but they did leave a public viewable table that contains complete information and stats about internal infection.

Security Analysis’s assert that the working system of Switcher malware offers a wonderful similarity with DNSChanger malware that is currently being utilized as an adventure pack. Another security firm Proofpoint as of late watched that there was a crusade that was focusing on remote switches and changing DNS sections for taking movement. In any case, in that crusade, the powerless switches were those made by D-Link, Pirelli, Comtrend and Netgear. Then again, Buchka’s investigation uncovers that Switcher Trojan deals with TP-LINK Wi-Fi switches’ web interfaces as it were.

Buchka states that the malware “focuses on the whole system, uncovering every one of its clients, whether people or organizations, to an extensive variety of assaults – from phishing to optional disease. A fruitful assault can be difficult to distinguish and considerably harder to move: the new settings can survive a switch reboot, and regardless of the possibility that the maverick DNS is handicapped, the optional DNS server is close by to go ahead.”

This article is for educational purpose only, is not responsible for negative use of this tutorial.