Adversaries may use Android wifi Switcher variants to automate network interface switching, enabling persistence and covert communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities.
YARA Rule
rule Android_Switcher
{
meta:
description = "This rule detects Android wifi Switcher variants"
sample = "d3aee0e8fa264a33f77bdd59d95759de8f6d4ed6790726e191e39bcfd7b5e150"
source = "https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/"
source2 = "https://koodous.com/rulesets/2049"
author = "https://twitter.com/5h1vang"
strings:
$str_1 = "javascript:scrollTo"
$str_5 = "javascript:document.getElementById('dns1')"
$str_6 = "admin:"
$dns_2 = "101.200.147.153"
$dns_3 = "112.33.13.11"
$dns_4 = "120.76.249.59"
condition:
androguard.certificate.sha1("2421686AE7D976D19AB72DA1BDE273C537D2D4F9") or
(androguard.permission(/android.permission.INTERNET/) and
androguard.permission(/android.permission.ACCESS_WIFI_STATE/) and
($dns_2 or $dns_3 or $dns_4) and all of ($str_*))
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: System Maintenance Task Using wifi_switcher Command
Description: A system administrator is running a scheduled maintenance task that uses the wifi_switcher tool to switch between Wi-Fi networks during a routine network configuration update.
Filter/Exclusion: Exclude processes initiated by the system account (root or system) with a scheduled job identifier (e.g., cron, systemd, or at job ID).
Scenario: Mobile Device Management (MDM) Tool Switching Wi-Fi Networks
Description: An MDM tool like MobileIron, Microsoft Intune, or Jamf is programmatically switching Wi-Fi networks to enforce compliance with corporate policies.
Filter/Exclusion: Exclude processes associated with known MDM tools (e.g., mobileiron, intunewin, jamf) or check for presence of MDM agent identifiers in the process name or command line.
Scenario: Automated Network Testing Using wifi_switcher
Description: A QA team is using a tool like Wireshark, tcpdump, or a custom script to test network connectivity by switching Wi-Fi networks as part of a test suite.
Filter/Exclusion: Exclude processes with command-line arguments indicating testing (e.g., --test, --dry-run, or --simulate) or check for known QA tool identifiers in the process name.
Scenario: User-Initiated Wi-Fi Switch via Script or Shortcut
Description: A user is using a script or shortcut (e.g., a .sh file or a shortcut in the Android app drawer) to switch Wi-Fi networks manually, which may trigger the rule.
Filter/Exclusion: Exclude processes initiated by user accounts with a known user-initiated pattern (e.g., su, adb, or `am start