'Switcher' Android Trojan hits routers, hijacks DNS

In a blog post on December 28, Kaspersky Lab researchers reported their findings on a new Android Trojan virus. Dubbed "Switcher," the Trojan's purpose is to infect WiFi routers through one infected device. The basic idea is that once Switcher is able to access the WiFi network through a victim's Android, the attacker can then reroute other users on the network to malicious sites.

How Switcher is able to carry out the attack is through brute force attacks against the admin interface of the router. Once the brute force is successful, the DNS servers are replaced with servers (one active and one back-up) that belong to the hacker. This allows every search action to be sent to the attackers' machine, which can allow a vast number of further infections.

Kaspersky Lab researchers explained that "the ability of the Switcher Trojan to hijack [DNS] gives the attackers almost complete control over network activity which uses the name-resolving system ... the approach works because wireless routers generally reconfigure the DNS settings of all devices on the network to their own – thereby forcing everyone to use the same rogue DNS.”

Switcher attacks are primarily found in China and currently infect devices through two vectors. The first is a fake version of Baidu, a popular Chinese search engine. The second is an app utilized for sharing WiFi login data (which just sounds like a bad idea to begin with). By the end of last year, there were 1,280 reported infected networks. That number is likely to climb.

Although the attacks from Switcher have primarily been in China, the proven efficacy of the Trojan almost guarantees its spread to other nations over time. To protect against the virus, admins and users should continuously monitor their server to protect against the following rogue DNS servers:,, and

Photo credit: Flickr / webhamster

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Facebook creating deep fakes — and for genuinely good reasons

Deep fakes are a catastrophe waiting to happen. Facebook’s attempt to create a tool that differentiates between real and fake…

1 day ago

Microsoft Intune gets a new streamlined user experience

Microsoft Intune is getting a bunch of new updates that will streamline the administration experience for users of the popular…

1 day ago

SD-WAN: Is this going to be your network of the future?

As businesses evolve into a SaaS/IaaS model for accessing applications, new network technology is crucial. SD-WAN is just such a…

1 day ago

Monitoring Exchange and the rest of your network to avert disasters

What you don’t know about Exchange and your network can come back to bite you. Monitoring Exchange is one way…

2 days ago

Quick tip: Removing warning messages from Azure cmdlets

Warnings are nice, except when they are annoying and unnecessary. Here’s a tip to show you how to remove warning…

2 days ago

Is the Group Policy Central Store still relevant in the age of Windows 10?

Having a Group Policy Central Store in Active Directory made life easier for administrators. But does it still work in…

2 days ago