Trojan:Android/Crusewind

Classification

Malware

Trojan

Android

Trojan:Android/Crusewind.A, Crusewind, Crusewind.A

Summary

Trojan:Android/Crusewind.A intercepts incoming SMS messages and forwards them to a remote server.

Removal

Automatic action

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

Manual removal

Trojan:Android/Crusewind.A can be uninstalled by following the steps below:

  • Go to Settings
  • Go to Applications
  • Go to Manage Applications
  • Select the application
  • Press "Clear data"
  • Press "Uninstall"
  • Select "OK" when asked for confirmation and wait
Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Installation

Prior to installation, the program detected as Trojan:Android/Crusewind.A will request the following permissions:

Once installed, this trojan displays an application icon in the Applications menu. In the samples we analyzed, the application name used are either 'Flashp' or 'MMS', with differing icons.

Example of Trojan:Android/Crusewind.A using the application name 'MMS'.

Activity

When the user clicks on the application icon, the program appears to simply exit without launching. In the background however, the trojan creates a new service named 'com.flashp.Flashservice':

Service created by Trojan:Android.Crusewind.A

Once the service is active, the trojan will attempt to download an XML configuration file from the following location

  • h t t p://crusewind.net/[...]/test.xml

The downloaded file contains a list of URLs the trojan will attempt to contact to send and receive data. Further details in the XML file are used by the trojan to determine the remote location where an incoming SMS message will be forwarded.

Crusewind.A also uses JSON to serialise and post a list of applications installed on the affected device to a remote server listed in the XML file.

At the time of writing, all URLs listed in the XML file are blocked by F-Secure's Browsing Protection.

Additional

In addition to forwarding SMS messages, the trojan also has the capability to delete them.

Crusewind is also able to check its current version and update itself, or if necessary delete itself.

Date Created: -

Date Last Modified: -