Researchers at Panda Security found traces of the notorious Mariposa botnet on a Vodafone HTC Magic smartphone for the second time in as many weeks.
According to the Panda blog, the latest malware-infected phone belonged to an employee of a security company in Spain called S21Sec.
“This guy had also purchased an HTC Magic direct from Vodafone’s official Website the same week as my co-worker,” explained Panda senior research adviser Pedro Bustamante. “He hadn’t connected the phone to his PC yet, but as soon as he saw the news, [he] hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding.
“According to the dates of the files, it seems his Vodafone HTC Magic was loaded with the Mariposa bot client on March 1, 2010, at 19:07, a little over a week before the phone was delivered to him directly from Vodafone,” the researcher said. “This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled (download USB Vaccine to disable autorun if you haven’t done so yet).”
The finding follows Bustamante’s initial report March 8, when he revealed malware linked to Mariposa had been found on a device purchased from Vodafone. For its part, Vodafone has told the media its investigation into the incidents is ongoing, and that the company is taking the situation seriously.
Bustamante suggested people scan the microSD cards of newly purchased devices with updated antivirus to be safe.
“If you’re in Europe and you’ve purchased an HTC Magic from Vodafone a few weeks before or after March 1, 2010, I’d double-check my PC and my HTC’s microSD card if I were you,” he advised.