| | | Effective PR

Kaspersky warns that your mobile is at risk because it hacks wifi routers.

Editorial Staff

This is a bit weird: criminals have created an Android virus that resides in users' phones and hacks into wifi network routers, then it does devious and harmful things.

Kaspersky says that this is what happens: when the hack has been activated, stage two of the exploit is to allow you to access the correct page but to (in overly simple terms) over-write part of it with a page of their own creation.

To be a little more (only a little more) technical, the connection is hijacked and then DNS requests are switched.

The trick here is in the way our normal-looking Web page addresses are an add-on to real the IP addresses the Internet works with. This add-on is called DNS — the Domain Name System. Every time you enter a website address in the browser’s address bar, your computer sends a request to a designated DNS server, which returns the address of the domain you need.

The success of the venture depends on having a method that makes a victim use a malicious DNS server, which will direct them to a fake website, instead of a legitimate one. Here is how the creators of the Switcher Trojan solved this problem.

The Switcher developers created a couple of Android apps, one of which mimics Baidu (a Chinese Web search app, analogous to Google), and another that poses as a public Wi-Fi password search app, which helps users to share passwords to public hotspots; this type of service is also quite popular in China.

Once the malicious app infiltrates the target smartphone connected to a Wi-Fi network, it communicates to a command-and-control (C&C) server and reports that the Trojan has been activated in a particular network. It also provides a network ID.

Then Switcher starts hacking the Wi-Fi router. It tests various admin credentials to log in to the settings interface. Judging by the way this part of the Trojan works, right now the method is functional only if TP-Link routers are used.

If the Trojan manages to identify the right credentials, it goes to the router’s settings page and changes the legitimate default DNS server address to a malicious one. Also, the malware sets a legitimate Google DNS server at as the secondary DNS, so that the victim doesn’t notice anything if the malicious DNS server is down.

So, that's all rather nasty stuff and it's transparent in use.

Hints to help prevent the attack are at https://blog.kaspersky.com/swi....

But, of course, the snag here is that, if you are working in a public wifi area where the wifi ADMIN name and password are easily guessed, then the risk is omnipresent. There is a free version of Kaspersky for Android that will sweep your phone for this and other threats at that link.