Vodafone sold an Android smartphone infected with Mariposa
According to a report from Spanish anti-virus vendor Panda, Vodafone Spain has sold at least one HTC Magic Android smartphone with the Mariposa bot installed on its memory card. The problem came to light when one of Panda's virus analysts connected his freshly purchased smartphone to his PC. The analyst found that, in addition to the Mariposa bot, the memory card also contained the Conficker worm and a password-stealing trojan. The Android system's file system was apparently still intact.
Apparently, once the phone was connected to the PC the Mariposa bot started up automatically and tried to find (and infect) further PCs on the network. The bot also contacted a Command&Control server – probably a server which was still available even though the Mariposa botnet was recently destroyed. Panda suspects that perhaps a different gang of criminals running a parallel botnet are behind the attack.
Vodafone has acknowledged the problem but hasn't explained how the malware found its way onto the card. First investigations apparently indicate that the incident was an isolated, local problem. Whether further devices were also infected has not yet been established. While Panda bought additional smartphones of the same type after the problem was found, they haven't released any further findings.
In a statement, Vodafone D2 (Germany) spokesperson Thorsten Höpken emphasised that the described case was a freak incident localised to Spain. "It involved a customer who manipulated such a device, re-sealed the box with a bogus label and subsequently re-circulated the product", said Höpken in an email to The H's associates at heise Security. Vodafone said they carried out random checks of the HTC Magic smartphones they have in stock and didn't find a single compromised device.
- Researchers show infecting smartphones with malware is relatively easy, a report from The H.
- Spanish police release details about Mariposa arrests, a report from The H.