New Android Switcher Trojan Spreading Through Wi-Fi Routers


The trojan hijacks DNS servers and replaces them with malicious versions to re-direct web traffic

A new evolution of Android malware has been discovered, using unsuspecting devices as tools to infect Wi-Fi routers.

Dubbed ‘The Switcher Trojan’ by Kaspersky Lab, the malware changes routers’ DNS settings and redirects traffic from connected devices to malicious websites controlled by the attackers, leaving users vulnerable to a range of different attacks.

So far the people behind the virus claim to have successfully infiltrated 1,280 wireless networks, predominantly located in China.

Trojan virus

DNS hijacking

DNS servers work by turning a readable web address such as ‘’ into the numerical IP address required for computers to communicate with each other. The Switcher Trojan hijacks this process by intercepting the signal and redirecting the device to a fake website, giving attackers control over network activity.

It is spread by users downloading the trojan from one of two malicious websites created by the attackers. One is disguised as an Android client of the Chinese search engine Baidu and the other is a fake version of a popular Chinese app for sharing information about Wi-Fi networks.

Using a brute-force attack, the trojan tries to break in to the web admin interface of any infected device that connects to a wireless network which, if successful, enables it to swap the existing DNS server for a malicious one.

“The Switcher Trojan marks a dangerous new trend in attacks on connected devices and networks,” said Nikita Buchka, mobile security expert at Kaspersky Lab. “It does not attack users directly. Instead, it turns them into unwilling accomplices: physically moving sources of infection. The Trojan targets the entire network, exposing all its users, whether individuals or businesses, to a wide range of attacks – from phishing to secondary infection.

“A successful attack can be hard to detect and even harder to shift: the new settings can survive a router reboot, and even if the rogue DNS is disabled, the secondary DNS server is on hand to carry on. Protecting devices is as important as ever, but in a connected world we cannot afford to overlook the vulnerability of routers and Wi-Fi networks.”

Quiz: How much do you know about Google’s Android software?