{
	"id": "10d227f9-f676-47c9-a397-bf312b646a2a",
	"created_at": "2026-04-06T00:06:47.026451Z",
	"updated_at": "2026-04-10T13:12:50.40024Z",
	"deleted_at": null,
	"sha1_hash": "a892152a76e6d77bd10b874f7885a0c34eddb428",
	"title": "Switcher: Android joins the ‘attack-the-router’ club",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 359151,
	"plain_text": "Switcher: Android joins the ‘attack-the-router’ club\r\nBy Nikita Buchka\r\nPublished: 2016-12-28 · Archived: 2026-04-05 19:26:21 UTC\r\nRecently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan.\r\nAlthough malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite\r\nunique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the\r\nwireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force\r\npassword guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the\r\naddresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the\r\nattacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So,\r\nlet us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.\r\nClever little fakes\r\nTo date, we have seen two versions of the trojan:\r\nacdb7bfebf04affd227c93c97df536cf; package name – com.baidu.com\r\n64490fbecefa3fcdacd41995887fe510; package name – com.snda.wifi\r\nThe first version (com.baidu.com), disguises itself as a mobile client for the Chinese search engine Baidu, simply\r\nopening a URL http://m.baidu.com inside the application. The second version is a well-made fake version of a\r\npopular Chinese app (http://www.coolapk.com/apk/com.snda.wifilocating) for sharing information about Wi-Fi\r\nnetworks (including the security password) between users of the app. Such information is used, for example, by\r\nbusiness travelers to connect to a public Wi-Fi network for which they don’t know the password. It is a good place\r\nto hide malware targeting routers, because users of such apps usually connect with many Wi-Fi networks, thus\r\nspreading the infection.\r\nThe cybercriminals even created a website (though badly made) to advertise and distribute the aforementioned\r\nfake version of com.snda.wifilocating. The web server that hosts the site is also used by the malware authors as\r\nthe command-and-control (C\u0026C) server.\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 1 of 8\n\nThe infection process\r\nThe trojan performs the following actions:\r\n1. 1 Gets the BSSID of the network and informs the C\u0026C that the trojan is being activated in a network with\r\nthis BSSID\r\n2. 2 Tries to get the name of the ISP (Internet Service Provider) and uses that to determine which rogue DNS\r\nserver will be used for DNS-hijacking. There are three possible DNS servers – 101.200.147.153,\r\n112.33.13.11 and 120.76.249.59; with 101.200.147.153 being the default choice, while the others will be\r\nchosen only for specific ISPs\r\n3. 3 Launches a brute-force attack with the following predefined dictionary of logins and passwords:\r\nadmin:00000000\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 2 of 8\n\nadmin:admin\r\nadmin:123456\r\nadmin:12345678\r\nadmin:123456789\r\nadmin:1234567890\r\nadmin:66668888\r\nadmin:1111111\r\nadmin:88888888\r\nadmin:666666\r\nadmin:87654321\r\nadmin:147258369\r\nadmin:987654321\r\nadmin:66666666\r\nadmin:112233\r\nadmin:888888\r\nadmin:000000\r\nadmin:5201314\r\nadmin:789456123\r\nadmin:123123\r\nadmin:789456123\r\nadmin:0123456789\r\nadmin:123456789a\r\nadmin:11223344\r\nadmin:123123123\r\nThe trojan gets the default gateway address and then tries to access it in the embedded browser. With the\r\nhelp of JavaScript it tries to login using different combinations of logins and passwords. Judging by the\r\nhardcoded names of input fields and the structures of the HTML documents that the trojan tries to access,\r\nthe JavaScript code used will work only on web interfaces of TP-LINK Wi-Fi routers\r\n4. 4 If the attempt to get access to the admin interface is successful, the trojan navigates to the WAN settings\r\nand exchanges the primary DNS server for a rogue DNS controlled by the cybercriminals, and a secondary\r\nDNS with 8.8.8.8 (the Google DNS, to ensure ongoing stability if the rogue DNS goes down). The code\r\nthat performs these actions is a complete mess, because it was designed to work on a wide range of routers\r\nand works in asynchronous mode. Nevertheless, I will show how it works, using a screenshot of the web\r\ninterface and by placing the right parts of the code successively.\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 3 of 8\n\n5. 5\r\nIf the manipulation with DNS addresses was successful, the trojan report its success to the C\u0026C\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 4 of 8\n\nSo, why it is bad?\r\nTo appreciate the impact of such actions it is crucial to understand the basic principles of how DNS works. The\r\nDNS is used for resolving a human-readable name of the network resource (e.g. website) into an IP address that is\r\nused for actual communications in the computer network. For example, the name “google.com” will be resolved\r\ninto IP address 87.245.200.153. In general, a normal DNS query is performed in the following way:\r\nWhen using DNS-hijacking, the cybercriminals change the victim’s (which in our case is the router) TCP/IP\r\nsettings to force it to make DNS queries to a DNS server controlled by them – a rogue DNS server. So, the scheme\r\nwill change into this:\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 5 of 8\n\nAs you can see, instead of communicating with the real google.com, the victim will be fooled into communicating\r\nwith a completely different network resource. This could be a fake google.com, saving all your search requests\r\nand sending them to the cybercriminals, or it could just be a random website with a bunch of pop-up ads or\r\nmalware. Or anything else. The attackers gain almost full control over the network traffic that uses the name-resolving system (which includes, for example, all web traffic).\r\nYou may ask – why does it matter: routers don’t browse websites, so where’s the risk? Unfortunately, the most\r\ncommon configuration for Wi-Fi routers involves making the DNS settings of the devices connected to it the same\r\nas its own, thus forcing all devices in the network use the same rogue DNS. So, after gaining access to a router’s\r\nDNS settings one can control almost all the traffic in the network served by this router.\r\nThe cybercriminals were not cautious enough and left their internal infection statistics in the open part of the C\u0026C\r\nwebsite.\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 6 of 8\n\nAccording to them, they successfully infiltrated 1,280 Wi-Fi networks. If this is true, traffic of all the users of\r\nthese networks is susceptible to redirection.\r\nConclusion\r\nThe Trojan.AndroidOS.Switcher does not attack users directly. Instead, it targets the entire network, exposing all\r\nits users to a wide range of attacks – from phishing to secondary infection. The main danger of such tampering\r\nwith routers’ setting is that the new settings will survive even a reboot of the router, and it is very difficult to find\r\nout that the DNS has been hijacked. Even if the rogue DNS servers are disabled for some time, the secondary\r\nDNS which was set to 8.8.8.8 will be used, so users and/or IT will not be alerted.\r\nWe recommend that all users check their DNS settings and search for the following rogue DNS servers:\r\n101.200.147.153\r\n112.33.13.11\r\n120.76.249.59\r\nIf you have one of these servers in your DNS settings, contact your ISP support or alert the owner of the Wi-Fi\r\nnetwork. Kaspersky Lab also strongly advises users to change the default login and password to the admin web\r\ninterface of your router to prevent such attacks in the future.\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 7 of 8\n\nSource: https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nhttps://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/"
	],
	"report_names": [
		"switcher-android-joins-the-attack-the-router-club"
	],
	"threat_actors": [],
	"ts_created_at": 1775434007,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a892152a76e6d77bd10b874f7885a0c34eddb428.pdf",
		"text": "https://archive.orkl.eu/a892152a76e6d77bd10b874f7885a0c34eddb428.txt",
		"img": "https://archive.orkl.eu/a892152a76e6d77bd10b874f7885a0c34eddb428.jpg"
	}
}