Deja-Vu????
New Android-infecting malware brew hijacks devices. Why, you ask? Your router
Hackers have brewed up a strain of Android malware that uses compromised smartphones as conduits to attack routers. The Switcher trojan does not attack Android device users directly. Instead, the malware uses compromised smartphones and tablets as tools to attack any wireless networks they connect to. Switcher brute-forces …
COMMENTS
-
Tuesday 3rd January 2017 17:04 GMT Anonymous Coward
Interesting choice of targets...
...and by that I mean the Chinese, not the routers.
It makes some sense too. From the point of view of mobile phone technology and use China represents a single large culture, so the malware authors only have to do one thing well and concentrate on just fooling that one large culture to get a lot of hits.
It remains to be seen whether it'll be deployed further afield and whether it will be as effective.
-
Tuesday 3rd January 2017 20:10 GMT Trigonoceps occipitalis
Re: Interesting choice of targets...
Can 1.4 Billion people spread over 9.6 million square kilometers really be said to be a "single large culture"? Granted a very large majority are Han. Even so, in my ignorance of the real China, it is too many over too large an area.
Any Sinorati care to enlighten me?
-
Tuesday 3rd January 2017 22:31 GMT Dave 126
Re: Interesting choice of targets...
>Can 1.4 Billion people spread over 9.6 million square kilometers really be said to be a "single large culture"?
Fair point. I guess one wanting to support the argument would suggest that aspects of internet use (government regulation, equipment used, popular sites with users) are peculiar to China.
-
Wednesday 4th January 2017 15:51 GMT Anonymous Coward
Re: Interesting choice of targets...
I would agree that from a sociological point there are many sub-cultures within China but that's why I qualified it by saying "From the point of view of mobile phone technology and use..."
Although there may be many different sociological sub-cultures within China, the phones being used across those sub-cultures won't differ greatly and, being China, will mostly be accessing local (Chinese) services which, even if they allow for different sub-languages, will operate in the same way for all of those sub-cultures: this seems likely to result the different sub-cultures using their phones similarly.
-
-
-
-
-
Tuesday 3rd January 2017 23:11 GMT P. Lee
Re: Infection Vector
>How about getting a new phone with a generic loader/backdoor installed at the factory ?
You mean like a hard-coded 8.8.8.8?
They might be redirecting you to malicious sites or merely stealing your browsing history.
Mine's the one with "Disillusioned with the Internet" written on the back.
-
-
Tuesday 3rd January 2017 19:42 GMT Midnight
Re: Infection Vector
The linked writeup goes into some depth about this, but here's an overly brief summary which probably misses several important details:
1) End user downloads a copy of a popular search app or free wifi app onto their phone and installs it, presumably by sideloading.
2) The trojan app then runs, checks to see if it has connected to a new wifi network and then phones home for instructions.
3) The app then uses a range of super-secret military grade encrypted ciphers such as "admin/admin" and "admin/123456" to log in as an administrator to the wifi access point it just connected to.
4) Once it has admin access to the AP the trojan will then reconfigure it to use a rogue DNS server for itself and for all DHCP clients which connect to it from then on. According to the article it seems to only understand the web interface for common TP-LINK routers
5) The trojan-infected phone can then be switched off, wiped clean, fed into a wood chipper and then have its ashes launched into the sun, but the damage to the WIFI AP will still remain.
So the initial infection is done by sideloading an app, but once the AP has been owned every user of that WiFi network who uses the provided DNS addresses will be affected.
-
Tuesday 3rd January 2017 19:58 GMT bombastic bob
Re: Infection Vector
it sounds to me that if you were to disable wifi configuration of the router (i.e. requiring an ethernet connection, rather than a wifi connection, to admin the thing) it would disable the vector...
just a thought. probably a good idea to configure that [no wifi-connected admin'ing], when possible.
-
Tuesday 3rd January 2017 21:03 GMT Michael Thibault
Re: Infection Vector
>disable wifi configuration of the router
Small problem: the mouth-breathers doing the side-loading of the Shiny Golden Software (tm) are not only very unlikely to inconvenience themselves in this way, they likely aren't even aware of the possibility of doing so. Another small problem: these Android thingies appear to be mobile--the implication being that you'd have to disable wifi config on every router any such infected peripatetic Android thingy might come across, before it does so. Extremely unlikely.
The router tech is neither the problem nor the solution; the meat seems to have only the expected intelligence for what it is.
-
-
Wednesday 4th January 2017 14:26 GMT Anonymous Coward
Comcast
Sorry, but that is 100% your fault for using a Comcast provided device for your wifi network. Turn the wifi off, set the Comcast to bridge mode, and install your own wifi router. Then you can configure it as you wish, run DD-WRT etc. on it, and so forth, and the Comcast device can't see into your home network even if it is hacked. A hacked Comcast device could still hijack DNS, but if they ever get the problems with DNScrypt ironed out and make it generally usable, that problem will go away.
-
Wednesday 4th January 2017 15:55 GMT Sven Coenye
Re: Comcast
That *is* my own router. We just did not expect for Comcast to hijack it completely.
Plus, how many people who are vulnerable* to this would go through the lengths you describe?
* Include entire family here, especially the sprogs who may know just enough to be dangerous without anyone else understanding what is going on.
-
Thursday 5th January 2017 07:29 GMT Jamie Jones
Re: Comcast
Sorry, but that is 100% your fault for using a Comcast provided device for your wifi network. Turn the wifi off, set the Comcast to bridge mode, and install your own wifi router.
Oh, please, that is the most elitist and apologetic answer ever.
I actually have such a setup myself (with an asus R68 or whatever it's called). I'm not on comcast, but did it because I wanted a system that gave me more control at the router.
However it is totally wrong to excuse Comcast if they do this, and also expect someone to mitigate it the way you describe (although, this being a reply to a comment on a tech site, maybe that isn't too 'out-there' and I was a bit harsh with the elitist comment)
Still, really? Company X does something stupid and it's the customers fault?
-
-
-
-
Wednesday 4th January 2017 09:14 GMT Planty
Re: Infection Vector
0.1/ enable untrusted sources
0.2/ ignore malware warning
0.3/ find malicious download
0.4/ ignore Google Verify Apps warning dialogs
0.5/ circumvent android runtime security checks
.
.
.
2.5/ have a router that uses a default user and password that the user didn't change.
-
-
-
Tuesday 3rd January 2017 21:38 GMT Mage
Oh no
Yet ANOTHER drive by router attack, the Gazzilioneth in the last 15 years because STUPIDLY routers work out of the box with out a mandatory new user name and non-dictionary password, easily guessed. Or the same on every box
Or based on the MAC.
Idiotic making it TOO simple to use the router. Even moronic Windows you have to create a new user and password to be able to connect to the internet.
It could equally javascript hidden in a image of an advert on a browser that does this. The problem is not the phone or Wifi but stupidity of defualt credentials to set Router parameters, especially DNS.
-