Crossover is the first known malware that can spread automatically from PC to Windows Mobile via that ActiveSync session. It was released to the Mobile Anti-virus Research Association on February 23, 2006 by its author, who is an anonymous source. This is a live, working proof-of-concept (PoC) Trojan that infects both the host PC and ANY Windows Mobile device that connects via ActiveSync. To the best of our knowledge, at the time of this writing it is not in the wild, so it should not be considered an immediate threat.
Crossover is not a very malignant PoC. If this Trojan were to escape into the public, however, it would cause some damage to both the infected PC and PPC. In short, it will use up system resources and delete files found in the \My Documents directory on the PDA. However, infection is fairly easy to spot and just as easy to remove. This Trojan was not intended for stealth infections as its footprint quickly becomes obvious to the PDA user.
In addition to being able to transfer from the PC to the PDA, the crossover Trojan is also unique to the Windows Mobile world for another reason: the same binary can be executed both on the Pocket PC and on the PC. Internal logic determines the execution path and the resultant effects. In the following section we will describe the details of the Trojan.