Malware Found on More Vodafone-Issued HTC Magic Phones

Security researchers who reported last week that a Vodafone-issued HTC Magic phone came preloaded with malware are now in possession of a second infected device. The identical phone was acquired from the same mobile operator during the same period and contains the same Mariposa trojan strain.

Earlier last week, security researchers from Spanish antivirus vendor Panda Security found a Mariposa botnet client and other malware on the memory card of a new Android-based HTC Magic phone bought from Vodafone. The telecom company, one of the largest mobile operators in the world, responded to the accusations by dismissing the infected phone as an "isolated local incident."

However, now that a second infected HTC Magic device supplied by Vodafone has been uncovered, the unusual occurrence no longer appears to be so isolated. According to Panda, the new phone was bought last week by the employee of a different security firm, who immediately scanned it after reading about the previous incident online.

"This guy had also purchased an HTC Magic direct from Vodafone’s official website the same week as my co-worker. He hadn’t connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding," Pedro Bustamante, senior research advisor at Panda, explains. Mr. Bustamante was personally involved earlier this year in an effort to dismantle a huge Mariposa-based botnet counting millions of infected computers.

But the coincidences don't stop here. The Mariposa version found on the device was identical to the one detected on the first phone, down to the command and control servers specified in its configuration. Furthermore, as with the previous incident, Mariposa was not the only malware residing on the memory card of the Android-based device and waiting to silently infect computers. Bustamante noted that an Autorun worm was also located in a RECYCLER folder.

"Having the exact same botnet client with the exact same characteristics, with such little time difference between the malware being loaded and delivered to the client and all happening during the same week, makes me think this might be a bigger problem, either with QA or with a specific batch of phones. [...] Vodafone stated it was an isolated incident, but that theory is losing ground as quick as you can say 'p0wn3d'," the researcher concludes.

If you have never considered that a mobile phone can be used as conduit for malware, you might want to scan its memory card with a capable antivirus immediately; especially if you have plugged it into multiple computers or if it is an HTC Magic recently bought in Europe from Vodafone.