You knew 2016 was a bad year for enterprise security, but maybe you didn’t notice how badly it ended. Last week, security researchers at Kaspersky Lab discovered a class of Android trojaned Android apps that included a behavior that foreshadowed a next level of threat for Enterprises. Dubbed “Switcher”, this cross-platform mobile threat can hack its Wi-Fi router.
Think about that for a minute: A malicious mobile app capable of launching an attack on network infrastructure, directing unsuspecting Wi-Fi users to malicious sites. By simply requiring network access – no special app permissions are needed – infected apps scan the network for TP-link routers. If one is found, default admin credentials are attempted, and upon success, the DNS server is changed to a malicious one. Instead of just compromising the device, the malware is compromising the network and anyone on that network. This is not a mobile app we want to see in enterprise environments.
How worried should you be about Switcher? If you’re in Europe or North America, maybe not too much—yet. As is stands today,Switcher, is only active in China. It can only hack one brand of router: TP-link. And it’s only successful if the default password hasn’t been changed. However, these limitations are not difficult to overcome.
Researchers have feared Cross-Platform Mobile Threats for years. Examples in the wild so far have been limited to Android to desktop. “Android to router” is a whole new threat level.
With Switcher infected apps, all users who connect to the compromised network will be using a malicious DNS server by default and directed to sites that can steal credentials, exfiltrate sensitive documents, and more.
We anticipate this hacking technique will evolve quickly, incorporating brute force attacks against network resources and using network vulnerabilities. We also anticipate, if it isn’t happening already, malicious iOS apps that use the same technique. Given that the majority of corporate devices are iOS, this makes it more important than ever to have strong security measures in place.
We recommend the following to prevent and minimize the occurrence of cross-platform threats in your enterprise:
- Ensure users only install apps from approved stores, such as Apple’s App Store or Google Play.
- Review all routers and other network infrastructure to ensure that strong passwords are in place, and where possible two-factor authorization is in use. It goes without saying that this includes changing the default password on your routers.
- Keep an eye out for new, more capable cross-platform mobile threats from additional Android and possibly also iOS apps.