back to article New Android-infecting malware brew hijacks devices. Why, you ask? Your router

Hackers have brewed up a strain of Android malware that uses compromised smartphones as conduits to attack routers. The Switcher trojan does not attack Android device users directly. Instead, the malware uses compromised smartphones and tablets as tools to attack any wireless networks they connect to. Switcher brute-forces …

  1. Paul Woodhouse

    Deja-Vu????

  2. Anonymous Coward
    Anonymous Coward

    Interesting choice of targets...

    ...and by that I mean the Chinese, not the routers.

    It makes some sense too. From the point of view of mobile phone technology and use China represents a single large culture, so the malware authors only have to do one thing well and concentrate on just fooling that one large culture to get a lot of hits.

    It remains to be seen whether it'll be deployed further afield and whether it will be as effective.

    1. Trigonoceps occipitalis

      Re: Interesting choice of targets...

      Can 1.4 Billion people spread over 9.6 million square kilometers really be said to be a "single large culture"? Granted a very large majority are Han. Even so, in my ignorance of the real China, it is too many over too large an area.

      Any Sinorati care to enlighten me?

      1. Dave 126 Silver badge

        Re: Interesting choice of targets...

        >Can 1.4 Billion people spread over 9.6 million square kilometers really be said to be a "single large culture"?

        Fair point. I guess one wanting to support the argument would suggest that aspects of internet use (government regulation, equipment used, popular sites with users) are peculiar to China.

      2. Anonymous Coward
        Anonymous Coward

        Re: Interesting choice of targets...

        I would agree that from a sociological point there are many sub-cultures within China but that's why I qualified it by saying "From the point of view of mobile phone technology and use..."

        Although there may be many different sociological sub-cultures within China, the phones being used across those sub-cultures won't differ greatly and, being China, will mostly be accessing local (Chinese) services which, even if they allow for different sub-languages, will operate in the same way for all of those sub-cultures: this seems likely to result the different sub-cultures using their phones similarly.

  3. a_yank_lurker

    Infection Vector

    A question about how one gets infected? Presumably, if one is not side loading apps one's risk is fairly small. More a question about how likely one is to be infected if one has only a handful of apps installed from reasonable reputable sources from the app store.

    1. Anonymous Coward
      Anonymous Coward

      Re: Infection Vector

      How about getting a new phone with a generic loader/backdoor installed at the factory ?

      1. P. Lee
        Coat

        Re: Infection Vector

        >How about getting a new phone with a generic loader/backdoor installed at the factory ?

        You mean like a hard-coded 8.8.8.8?

        They might be redirecting you to malicious sites or merely stealing your browsing history.

        Mine's the one with "Disillusioned with the Internet" written on the back.

    2. Midnight

      Re: Infection Vector

      The linked writeup goes into some depth about this, but here's an overly brief summary which probably misses several important details:

      1) End user downloads a copy of a popular search app or free wifi app onto their phone and installs it, presumably by sideloading.

      2) The trojan app then runs, checks to see if it has connected to a new wifi network and then phones home for instructions.

      3) The app then uses a range of super-secret military grade encrypted ciphers such as "admin/admin" and "admin/123456" to log in as an administrator to the wifi access point it just connected to.

      4) Once it has admin access to the AP the trojan will then reconfigure it to use a rogue DNS server for itself and for all DHCP clients which connect to it from then on. According to the article it seems to only understand the web interface for common TP-LINK routers

      5) The trojan-infected phone can then be switched off, wiped clean, fed into a wood chipper and then have its ashes launched into the sun, but the damage to the WIFI AP will still remain.

      So the initial infection is done by sideloading an app, but once the AP has been owned every user of that WiFi network who uses the provided DNS addresses will be affected.

      1. bombastic bob Silver badge
        Devil

        Re: Infection Vector

        it sounds to me that if you were to disable wifi configuration of the router (i.e. requiring an ethernet connection, rather than a wifi connection, to admin the thing) it would disable the vector...

        just a thought. probably a good idea to configure that [no wifi-connected admin'ing], when possible.

        1. Michael Thibault
          Facepalm

          Re: Infection Vector

          >disable wifi configuration of the router

          Small problem: the mouth-breathers doing the side-loading of the Shiny Golden Software (tm) are not only very unlikely to inconvenience themselves in this way, they likely aren't even aware of the possibility of doing so. Another small problem: these Android thingies appear to be mobile--the implication being that you'd have to disable wifi config on every router any such infected peripatetic Android thingy might come across, before it does so. Extremely unlikely.

          The router tech is neither the problem nor the solution; the meat seems to have only the expected intelligence for what it is.

        2. Sven Coenye
          Flame

          Re: Infection Vector

          Now go tell that to Comcast. Every time they see fit to remotely reset the router/modem, the login goes back to admin/password and HTTP over WiFi is reenabled.

          1. Anonymous Coward
            Anonymous Coward

            Comcast

            Sorry, but that is 100% your fault for using a Comcast provided device for your wifi network. Turn the wifi off, set the Comcast to bridge mode, and install your own wifi router. Then you can configure it as you wish, run DD-WRT etc. on it, and so forth, and the Comcast device can't see into your home network even if it is hacked. A hacked Comcast device could still hijack DNS, but if they ever get the problems with DNScrypt ironed out and make it generally usable, that problem will go away.

            1. Sven Coenye

              Re: Comcast

              That *is* my own router. We just did not expect for Comcast to hijack it completely.

              Plus, how many people who are vulnerable* to this would go through the lengths you describe?

              * Include entire family here, especially the sprogs who may know just enough to be dangerous without anyone else understanding what is going on.

            2. Jamie Jones Silver badge

              Re: Comcast

              Sorry, but that is 100% your fault for using a Comcast provided device for your wifi network. Turn the wifi off, set the Comcast to bridge mode, and install your own wifi router.

              Oh, please, that is the most elitist and apologetic answer ever.

              I actually have such a setup myself (with an asus R68 or whatever it's called). I'm not on comcast, but did it because I wanted a system that gave me more control at the router.

              However it is totally wrong to excuse Comcast if they do this, and also expect someone to mitigate it the way you describe (although, this being a reply to a comment on a tech site, maybe that isn't too 'out-there' and I was a bit harsh with the elitist comment)

              Still, really? Company X does something stupid and it's the customers fault?

      2. Planty Bronze badge

        Re: Infection Vector

        0.1/ enable untrusted sources

        0.2/ ignore malware warning

        0.3/ find malicious download

        0.4/ ignore Google Verify Apps warning dialogs

        0.5/ circumvent android runtime security checks

        .

        .

        .

        2.5/ have a router that uses a default user and password that the user didn't change.

  4. Anonymous Coward
    IT Angle

    New Android-infecting malware can only infect already infected Android devices

    Yawn ..

  5. Mage Silver badge
    Facepalm

    Oh no

    Yet ANOTHER drive by router attack, the Gazzilioneth in the last 15 years because STUPIDLY routers work out of the box with out a mandatory new user name and non-dictionary password, easily guessed. Or the same on every box

    Or based on the MAC.

    Idiotic making it TOO simple to use the router. Even moronic Windows you have to create a new user and password to be able to connect to the internet.

    It could equally javascript hidden in a image of an advert on a browser that does this. The problem is not the phone or Wifi but stupidity of defualt credentials to set Router parameters, especially DNS.

  6. whoseyourdaddy

    You get what you pay for.

  7. sitta_europea Silver badge

    DNSSEC anybody? Like, er, the banks, for starters?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like