When the router malware detects a query to Google's Analytics service, it spoofs the request by redirecting it to a rogue server instead of the legitimate Google server. Quite a lot of sites run Google Analytics so for attackers it's a very easy to approach to impact countless websites with minimal effort. When an infected router visits one of these sites, it will not pull the Google Analytics script but will instead serve ads or even porn.
The peculiar aspect of this attack is that it's hard to detect. Running a malware scan on your PC will detect nothing because there's nothing wrong on your computer. Few people know routers can be infected and even then it's probably the last place they'll look.
The malicious JavaScript has been detected injecting ads for various games as well as hardcore pornography. It’s a significant issue for multiple reasons — not only is it built off one of the most common analysis platforms around, it breaks style formatting at the “host” websites and injects ads and overlays that appear, to the end-user, to be officially sanctioned by the site in question. No amount of system reformatting or malware scans will find the error, since the problem is embedded in the router.
Source: at ExtremeTech