Malware found on second Vodafone HTC Magic

Another security firm finds Mariposa malware on a new Android-based HTC Magic from Vodafone, according to PandaLabs.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

When Panda Security found malware on a brand new Android-based Vodafone HTC Magic earlier this month, Vodafone said it was an "isolated local incident." Now, a second phone has been found harboring malware, including a program that turns infected machines into zombies as part of the Mariposa credit card and bank log-in-stealing botnet, according to Spain-based PandaLabs.

After hearing about PandaLabs' discovery, an employee at another Spanish security company, S21Sec, checked his recently acquired HTC Magic and found the Mariposa malware lurking on it, according to a PandaLabs blog post on Wednesday.

"This guy had also purchased an HTC Magic direct from Vodafone's official Web site the same week as my co-worker," writes Pedro Bustamante of PandaLabs. "He hadn't connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB, and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding."

PandaLabs connected the S21Sec employee's microSD card to his PC and found that the smartphone was loaded with the malware on March 1, more than a week before he had received the phone from Vodafone.

"This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled (download USB Vaccine to disable autorun if you haven't done so yet)," the PandaLabs blog item says.

"The Mariposa botnet client itself is exactly the same as reported last week, with the same nickname and same Command & Control servers," the post says. "There was also more malware in the SD card in addition to Mariposa. I also found a Win32/AutoRun worm" in the card.

Vodafone representatives, who are based in the U.K., could not immediately be reached for comment on Wednesday.

Update March 18 10:14 a.m. PDT: A Vodafone spokesperson provided a statement via e-mail:

"Vodafone takes security of its customers very seriously and there is an ongoing investigation into the issue. After an extensive Quality Assurance testing on HTC Magic handsets in several of our operating companies, indications are that this is a local incident in Spain. Vodafone keeps all of its security processes under constant review as new threats arise and we will take all appropriate actions to safeguard our customers' privacy."

This screenshot shows that the malware found on the second HTC Magic from Vodafone is named AUTORUN.EXE and stored in a hidden folder directory named "NADFOLDER" as the malware found earlier. PandaLabs