Mariposa bot distributed by Vodafone’s infected phone

Following yesterday’s news about the Energizer DUO USB recharger that infects PCs with a Trojan, here is another piece of equipment whose software comes bundled with malware: the new Vodafone HTC Magic with Google’s Android OS.

The massive infection potential was commented on by a Panda Security’s researcher, who says that the phone in question is distributed by Vodafone “to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.”

The researcher has been alerted to the possibility of the phone carrying malware by a colleague who, upon receiving the phone, connected it to her PC and triggered a warning by the company’s cloud AV solution: two files, autorun.inf and autorun.exe are malicious.

It turns out that the phone is infected with a Mariposa bot client that enlists the PC into a botnet run by someone that goes by the handle “tnis”. The C&C centres are located at:

  • mx5.nadnadzz2.info
  • mx5.channeltrb123trb.com
  • mx5.ka3ek2.com.

Once the PC is infected, you can see the malware contacting the centers for further instructions:

But that’s not the end of it – the researcher also found a Confiker and a Lineage password stealing malware on the phone, making him wonder just what kind of Quality Assurance operation Vodafone and HTC are running.

Vodafone released a statement saying that “early indications are that this was an isolated local incident”.

Don't miss