Researchers have uncovered a malicious Android app that can tamper with the wireless router that the infected phone is connected to and force the router to send all network devices to malicious locations.
malicious application, Found by KasperskyIt uses a technique known as Domain Name System (DNS) hijacking. Once the application is installed, it connects to the router and attempts to log into its administrative account using default or commonly used credentials, such as admin:admin. Upon success, the application then changes the DNS server to a malicious server controlled by the attackers. From now on, devices on the network can be directed to rogue sites that mimic legitimate sites but spread malware or log user credentials or other sensitive information.
able to spread widely
“We believe that the detection of this new DNS changer application is very important in terms of security,” Kaspersky researchers wrote. “An attacker could use it to manage all connections from devices using a compromised Wi-Fi router with rogue DNS settings.”
The researchers continued, “Users connect infected Android devices to public/free Wi-Fi in places like cafes, bars, libraries, hotels, shopping malls, and airports. When connected to a target Wi-Fi model with weak settings, the Android malware will damage the router and affect other devices.” Also. As a result, it is able to spread widely in target areas.”
DNS is the mechanism that matches a domain name like ArsTechnica.com with 22.214.171.124, which is the numerical IP address where the site is hosted. DNS lookups are performed by servers managed by the user’s Internet Service Provider or services from companies such as Cloudflare or Google. By changing the DNS server address in the router’s administrative panel from a legitimate one to a malicious one, attackers can cause all devices connected to the router to receive malicious domain lookups that lead to lookup sites used for cybercrime.
The Android app is known as Wroba.o, and it has been in use for years in various countries, including the United States, France, Japan, Germany, Taiwan, and Turkey. Oddly enough, the DNS hijacking technique that malware can use is used almost exclusively in South Korea. From 2019 to most of 2022, attackers lured targets to malicious websites sent via text messages, a technique known as fraud. Late last year, attackers incorporated DNS hijacking into their activities in that Asian country.
The attackers, known in the security industry as Roaming Mantis, designed DNS hijacking to only work when devices visit the mobile version of a spoofed website, presumably to ensure that the campaign is not detected.
While the threat is serious, it has a major drawback – HTTPS. Transport Layer Security (TLS) certificates that serve as the basis for HTTPS bind a domain name like ArsTechnica.com to a private encryption key known only to the site operator. People who are directed to a malicious site masquerading as Ars Technica using a modern browser will receive warnings that the connection is not secure or be asked to agree to a self-signed certificate, a practice that users should never follow.
Another way to combat the threat is to make sure that the password protecting the router’s administrative account is changed from the default to the strong one.
However, not everyone is aware of these best practices, leaving them open to visiting a malicious site that looks almost identical to the legitimate site they intend to access.
Thursday’s report stated that “users who have infected Android devices that connect to public or free Wi-Fi networks may spread malware to other devices on the network if the Wi-Fi they are connected to is weak.” Kaspersky experts are concerned about the possibility of using a DNS changer to target other zones and cause significant problems.