ANDROIDOS_CRUSEWIN.A | Low Risk | Trend Micro Threat Encyclopedia

Export page to PDF

ANDROIDOS_CRUSEWIN.A

Malware type: Trojan
Threat sub-type: Premium Service Abuser
Destructive: No
Platform: Android OS
Encrypted: No
In the wild: Yes

Overall Risk Rating:

Low

Damage Potential:

High

Distribution Potential:

Low

Reported Infection:

Low

Overview

This Android malware acts as an SMS relay. It uses the infected device as proxy for sending and receiving SMS messages. As a result, affected users may be charged for sending SMS without their knowledge.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This malware has certain capabilities such as sending and receiving SMS, deleting SMS, getting installed applications, deleting and updating itself.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

Technical Details

File size: 36,368 bytes
File type: DEX
Memory resident: Yes
Initial samples received date: 21 Jun 2011
Payload: Compromises system security, Connects to URLs/IPs, Steals information

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

NOTES:
This Android malware acts as an SMS relay which receives SMS to be forwarded from a remote URL. As a result, affected users may be charged for sending SMS without their knowledge. This malware has the following capabilities:

Send and receive SMS
Delete SMS
Get installed applications
Delete itself
Update Itself

It receives an XML configuration file from the following URL:

http://{BLOCKED}ind.net/flash/test.xml?imei={IMEI}&time={current time}

The configuration file contains the message body of the SMS and the number it sends to. It also contains where the malware forwards SMS messages, posts installed applications, updates itself, and where to notify the remote user for its status.

This malware also monitors the the affected phone's received SMS. If an SMS is from the number it sent to, the message is relayed to the following URL:

http://{BLOCKED}ind.net/flash/in.php?imei={IMEI}&time={current time}

Once the message is posted, the malware deletes the SMS from the affected phone to hide itself from the user.

The list of applications installed in the affected phone is posted by the malware to the following link:

http://{BLOCKED}ind.net/flash/list.php?imei={IMEI}&time={current time}

Please note that the analysis above is based from the XML configuration downloaded by the malware at the time of this writing and may change anytime.

Solution

Minimum scan engine: 8.900
Trend Micro Mobile Security Pattern Version: 1.109.00
Trend Micro Mobile Security Pattern Release Date: 22 Jun 2011

NOTES:

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via the Android Market.

Remove unwanted apps on your Android mobile device

To remove unwanted apps on your mobile device:

Go to Settings > Applications > Manage Applications.
Locate the app to be removed.
Scroll and highlight the app to be removed, then choose Uninstall.

Did this description help? Tell us how we did.

Analysis By: Karl Dominguez

Product Support

Go To:

Popular Products

More Support

Go to:

Popular Products

Threat Encyclopedia

Overview

Technical Details

Solution