Vodafone-Distributed Handset Found Pre-installed With Mariposa Bot

Security researchers have found the Mariposa bot client pre-installed on a mobile phone handset distributed in Europe, and say that the malware looks to have been installed on the phone’s memory card.

Security researchers have found the Mariposa bot client pre-installed on a mobile phone handset distributed in Europe, and say that the malware looks to have been installed on the phone’s memory card.

The phone, the HTC Magic, runs the Google Android mobile operating system, and is a low-priced handset distributed by Vodafone. A researcher at Panda Security received one of the handsets recently, and upon attaching it to her PC, found that the phone was pre-loaded with the Mariposa bot client. Mariposa has been in the news of late thanks to some arrests connected to the operation of the botnet.

 

However, that was not the only malware the Panda researcher found on the phone.

“Interestingly enough, the Mariposa bot is not the only malware I found
on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage
password stealing malware. I wonder who’s doing QA at Vodafone and HTC
these days,” Pedro Bustamante of Panda wrote in a blog post on the incident. The phone was purchased new in Spain.

In the comments of the post, Bustamante says that the malware was found on the memory card and not the phone’s file system. The bot was found on one phone, although Bustamante said that the company is buying some more of the Magic handsets to see if the malware shows up on others.

In a statement, HTC said they believe the problem was contained.

“HTC operates rigorous quality assurance testing
of all products entering the market. We believe this was an isolated incident
but are working closely with Vodafone to investigate thoroughly,” the company said.

John Leyden at The Register reports that Vodafone has investigated the incident and found it to be a local, isolated problem. “Following extensive Quality Assurance testing on HTC Magic handsets in
several of our operating companies, early indications are that this was
an isolated local incident,” Vodafone told Leyden in a statement.

After the researcher plugged the HTC phone into the PC, the Mariposa client began trying to infect other PCs in the local network and also started trying to contact a remote server. The Panda researcher found that the client was not being run by the same group of alleged Spanish hackers who were arrested last week, but by someone named “tnls.”

Pre-installing malware on hardware devices such as phones, digital photo frames, USB keys and others has become a favored attack vector for criminals. It simply takes one weak link in the supply chain, which can include dozens of countries around the globe, to plant the malware on thousands or millions of devices.

The main Mariposa botnet was shut down recently, and security researchers have taken control of the botnet’s command-and-control channels. The takedown was a large cooperative effort among various security companies, including Panda and Defence Intelligence, and law enforcement agencies, a paradigm that is becoming more common in recent months as experts continue to focus their attention on the massive botnet epidemic.

Researchers at Microsoft, working closely with law enforcement officials, recently shut down the Waledac botnet, a smaller operation that had been peppering user’s of Microsoft’s Hotmail service with billions of spam messages for some time.

*This story has been updated to clarify that the malware was found on the memory card, not the file system, and to add Vodafone’s statement to The Register. The headline also was updated to reflect the new information.

Suggested articles