The most common way for threat actors to compromise a network router is to attack it directly. The other and potentially more scalable way is to try and get individual users to unwittingly do it for them.
Security researchers at Kaspersky Lab have discovered a dangerous new Trojan dubbed Switcher that is designed to infect and hijack WiFi routers via compromised Android end user devices.
The malware masquerades as two legitimate Android apps—an Android client for Chinese search engine Baidu and a fake version of a Chinese application for sharing WiFi network information.
If a user downloads either app on their Android device and then connects to a WiFi network, the malware tries to gain administrative access to the router by brute-forcing its way in using a predefined list of login combinations
Once it gains access to the router, its switches out the router’s existing DNS server with a malicious one controlled by the attackers. The malware also sets up a secondary DNS server as a failsafe measure in case the primary rogue server is taken down.