Vodafone ships another infected handset

HTC Magic comes with unwanted extra

Vodafone has distributed a second HTC handset complete with malware pre-installed, according to security vendor Panda Research.

In a blog post, Panda senior research advisor Pedro Bustamante said that a concerned user had sent the firm an HTC Magic purchased through Vodafone, and found that it contained a Mariposa infection.

The user sent Panda the phone because of a previous report from the firm that covered an earlier, similar infection.

"This guy had also purchased an HTC Magic direct from Vodafone's official website the same week as my co-worker," wrote Bustamante.

"He hadn't connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding."

In the previous case Vodafone suggested that the presence of Mariposa was an isolated incident. A spokesman said, "The most likely cause of this infection is that someone will have sent the device back to Vodafone in a box that looked sealed, when in fact it had been tampered with."

However, Bustamante said that this new infection suggested that the isolated incident theory was losing validity.

"Having the exact same botnet client with the exact same characteristics, with such little time difference between the malware being loaded and delivered to the client and all happening during the same week, makes me think this might be a bigger problem, either with quality assurance or with a specific batch of phones," he explained.

He recommended that anyone in Europe who had purchased an HTC Magic through Vodafone should run a security check on their PC and HTC microSD card.

We have asked Vodafone for comment, and were told by a spokesman that the firm was monitoring the situation, but had had no complaints itself from customers.

"The early indications are that these are isolated local incidents that appear to be confined to Spain," he said. "We take our customers' security and privacy extremely seriously and will take further action to protect our customers should it be necessary."