Tools
Trojan:Android/Crusewind.A
Summary
Disinfection
Automatic
F-Secure's Mobile Security product blocks installation of this program with default settings (starting from database version 312).
Manual Removal
Trojan:Android/Crusewind.A can be uninstalled by following the steps below:
- Go to Settings
- Go to Applications
- Go to Manage Applications
- Select the application
- Press "Clear data"
- Press "Uninstall"
- Select "OK" when asked for confirmation and wait
Additional Details
Installation
Prior to installation, the program detected as Trojan:Android/Crusewind.A will request the following permissions:
Once installed, this trojan displays an application icon in the Applications menu. In the samples we analyzed, the application name used are either 'Flashp' or 'MMS', with differing icons.
Example of Trojan:Android/Crusewind.A using the application name 'MMS'.
Activity
When the user clicks on the application icon, the program appears to simply exit without launching. In the background however, the trojan creates a new service named 'com.flashp.Flashservice':
Service created by Trojan:Android.Crusewind.A
Once the service is active, the trojan will attempt to download an XML configuration file from the following location
- h t t p://crusewind.net/[...]/test.xml
The downloaded file contains a list of URLs the trojan will attempt to contact to send and receive data. Further details in the XML file are used by the trojan to determine the remote location where an incoming SMS message will be forwarded.
Crusewind.A also uses JSON to serialise and post a list of applications installed on the affected device to a remote server listed in the XML file.
At the time of writing, all URLs listed in the XML file are blocked by F-Secure's Browsing Protection.
Additional
In addition to forwarding SMS messages, the trojan also has the capability to delete them.
Crusewind is also able to check its current version and update itself, or if necessary delete itself.