Breaking open the Android Switcher

In late December 2016, the Android Switcher trojan was making the news. A trojan is “a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system” (source).

We decided to investigate this trojan for a short writeup of its functionalities and capabilities, so I downloaded a sample from Virustotal and cracked it open in the lab.

The first notable observation is that there is a lot of code written in Chinese (figure 1). Additionally, there are a lot of com classes, which makes it look as if it were a merged version of many different applications. This could simply be a way of adding extra trash-code to obfuscate the real functionality.

There are several hardcoded URLs for data exfiltration (figures 2 and 3), which receive internal network and device information.

Checking WHOIS records shows that the domain name is registered in Beijing (figure 4), and at the moment of writing this blog post is no longer accessible.

The trojan attacks a victim’s router by trying a series of predefined username:password combinations. These combinations are hardcoded inside one of the Java classes, and do not include very extensive tests.

According to previous research by Kaspersky Lab, the attacks are exclusively destined for TP-Link routers. This is determined based on the hardcoded JavaScript scripts that are used to navigate through the router admin panel (figure 5).

The malware also includes some interesting functionalities worth noting, such as: * Target Chinese users * Check if the device is rooted * DNS hijacking * User input emulation * Screen capturing


Android Switcher relies on a very limited set of default/weak credentials to gain access to the router and change its DNS settings. Nevertheless, according to Kaspersky’s research, this trojan was able to gain access to nearly 1,300 networks. If the next version contains a more extended set of username:password pairs and implements the capability of accessing other router models, this trojan will be able to pull in thousands of hijacked devices.

It is recommended to check that your router is configured to use a known public DNS entity, such as Google ( Additionally, it is highly recommended to change your default router password.

Recommended Posts