14 DAY TRIAL // Vodafone's Spanish branch confirmed that as many as 3,000 mobile phones sold to its customers this month carried malware. The problem resides with a batch of infected microSD cards and not the devices themselves.
Last week, security researchers from Panda Security reported having found several strains of malware on a brand new HTC Magic phone acquired from a Vodafone dealer in Spain. The discovery was made by a Panda worker who bought the device and connected it to her computer via USB, triggering alerts from the installed antivirus program.
Amongst the threats identified was a computer trojan capable of stealing financial and other sensitive information from its victims, called Mariposa. Vodafone initially dismissed the incident as local and isolated; however, a few days ago, a second HTC Magic smartphone infected with the same Mariposa version was discovered.
The device was bought directly from Vodafone Spain by a security consultant at S21Sec during the first week of March. The malicious files found on the phone's microSD memory card had a creation date of March 1, 2010.
According to MovilZona, a Spanish mobile news website, Vodafone confirmed that 3,000 devices sold in the country might suffer from a similar problem. The mobile operator pointed out that a batch of infected memory cards is at fault and revealed it is currently in the process of replacing them.
The company plans to offer a solution for cleaning computers infected as a result of the incident. However, this could be too late for some customers whose financial information might have already been stolen. In addition, Vodafone admits that HTC Magic might not be the only phone model affected.
In theory, any type of phone that had a memory card from the compromised batch installed represents a risk to its owner. But, aren't phones supposed to be subjected to additional tests after they get a memory card installed and before they leave Vodafone's doors? And if they are tested, isn't there any malware scan involved in this quality assurance process? It only seems sensible to scan removable devices that can later interact with computers, for malware.