Trojan:Android/Crusewind.A intercepts incoming SMS messages and forwards them to a remote server.
Trojan:Android/Crusewind.A can be uninstalled by following the steps below:
Prior to installation, the program detected as Trojan:Android/Crusewind.A will request the following permissions:
Once installed, this trojan displays an application icon in the Applications menu. In the samples we analyzed, the application name used are either 'Flashp' or 'MMS', with differing icons.
Example of Trojan:Android/Crusewind.A using the application name 'MMS'.
When the user clicks on the application icon, the program appears to simply exit without launching. In the background however, the trojan creates a new service named 'com.flashp.Flashservice':
Service created by Trojan:Android.Crusewind.A
Once the service is active, the trojan will attempt to download an XML configuration file from the following location
The downloaded file contains a list of URLs the trojan will attempt to contact to send and receive data. Further details in the XML file are used by the trojan to determine the remote location where an incoming SMS message will be forwarded.
Crusewind.A also uses JSON to serialise and post a list of applications installed on the affected device to a remote server listed in the XML file.
At the time of writing, all URLs listed in the XML file are blocked by F-Secure's Browsing Protection.
In addition to forwarding SMS messages, the trojan also has the capability to delete them.
Crusewind is also able to check its current version and update itself, or if necessary delete itself.
Date Created: -
Date Last Modified: -