Vodafone-Distributed Handset Found Pre-installed With Mariposa Bot

Security researchers have found the Mariposa bot client pre-installed on a mobile phone handset distributed in Europe, and say that the malware looks to have been installed on the phone’s memory card.

Security researchers have found the Mariposa bot client pre-installed on a mobile phone handset distributed in Europe, and say that the malware looks to have been installed on the phone’s memory card.

The phone, the HTC Magic, runs the Google Android mobile operating system, and is a low-priced handset distributed by Vodafone. A researcher at Panda Security received one of the handsets recently, and upon attaching it to her PC, found that the phone was pre-loaded with the Mariposa bot client. Mariposa has been in the news of late thanks to some arrests connected to the operation of the botnet.


However, that was not the only malware the Panda researcher found on the phone.

“Interestingly enough, the Mariposa bot is not the only malware I found
on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage
password stealing malware. I wonder who’s doing QA at Vodafone and HTC
these days,” Pedro Bustamante of Panda wrote in a blog post on the incident. The phone was purchased new in Spain.

In the comments of the post, Bustamante says that the malware was found on the memory card and not the phone’s file system. The bot was found on one phone, although Bustamante said that the company is buying some more of the Magic handsets to see if the malware shows up on others.

In a statement, HTC said they believe the problem was contained.

“HTC operates rigorous quality assurance testing
of all products entering the market. We believe this was an isolated incident
but are working closely with Vodafone to investigate thoroughly,” the company said.

John Leyden at The Register reports that Vodafone has investigated the incident and found it to be a local, isolated problem. “Following extensive Quality Assurance testing on HTC Magic handsets in
several of our operating companies, early indications are that this was
an isolated local incident,” Vodafone told Leyden in a statement.

After the researcher plugged the HTC phone into the PC, the Mariposa client began trying to infect other PCs in the local network and also started trying to contact a remote server. The Panda researcher found that the client was not being run by the same group of alleged Spanish hackers who were arrested last week, but by someone named “tnls.”

Pre-installing malware on hardware devices such as phones, digital photo frames, USB keys and others has become a favored attack vector for criminals. It simply takes one weak link in the supply chain, which can include dozens of countries around the globe, to plant the malware on thousands or millions of devices.

The main Mariposa botnet was shut down recently, and security researchers have taken control of the botnet’s command-and-control channels. The takedown was a large cooperative effort among various security companies, including Panda and Defence Intelligence, and law enforcement agencies, a paradigm that is becoming more common in recent months as experts continue to focus their attention on the massive botnet epidemic.

Researchers at Microsoft, working closely with law enforcement officials, recently shut down the Waledac botnet, a smaller operation that had been peppering user’s of Microsoft’s Hotmail service with billions of spam messages for some time.

*This story has been updated to clarify that the malware was found on the memory card, not the file system, and to add Vodafone’s statement to The Register. The headline also was updated to reflect the new information.

Suggested articles


  • Anonymous on

    Sounds like bollocks to me.  1 phone out of the 1000s sold?  Prob a refurb or some spotty oik in the shop using it before selling it, otherwise this would definitely have been spotted earlier.

  • Lee Whitfield on

    The title of this is VERY misleading as you suggest that HTC are to blame when they are not. When you plug an Android phone into a computer you see the inserted memory card and not the phone itself. This is down do the memory card and Vodafone's supplier or some rogue employee(s). I'd consider retracting/changing the title of this before HTC lawyers start calling.

  • Gold on

    This article is useless.  Where are the instructions or links that show how to check if the phone you have has this bot installed already?

  • Anonymous on


    Are you trying to sell your product or what?

    None of this is installed on the phone, the phone does not run windows binaries.

    If I were HTC and Google I would be suing the crap out of you about now.

  • Dennis Fisher on

    If you read the entire post on Panda's site, including the comments, the phone was new in the package when it was delivered. Not opened. And it looks like the malware was on the memory card.

  • Lee Whitfield on

    Yes, but that doesn't mean that you can just publish an article with a headline suggesting that HTC are responsible. The phone was no pre-installed with the malware. As far as I know the cards are supplied by the carriers anyway, not the manufacturers. Your headline is sensationalistic and simply not true. The content of the article say that the phones come preinstalled with the virus, a fallacy. And, according to the original article, IT HAS ONLY BEEN FOUND ON ONE PHONE. Do yourself a favour and amend this article.

  • Dennis Fisher on

    You're correct. The headline was not accurate, and it's been changed. I also updated the story to make it clear the the bot was on the card, not the filesystem. Those were my mistakes. Thanks for pointing them out.

  • Lee Whitfield on

    Much appreciated. Sorry for being so forthright.

  • candark on

    the good phone, win mobile 6.1 my phone is hetece hd2
    htc support forum

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.