Mariposa Botnet Malware Found On Vodaphone HTC Magic

Following Energizer's acknowledgment last week that it had been distributing infected software in conjunction with its DUO USB charger comes a report that malware has been found on a Vodafone HTC Magic running Google's Android OS.

The malware in question includes code to create a Mariposa bot, the Conficker worm, and a trojan software designed to steal passwords from the game Lineage.

"A quick analysis of the malware reveals that it is in fact a Mariposa bot client," explains Panda Security researcher Pedro Bustamante in a blog post. "This one, unlike the one announced last week which was run by Spanish hacker group 'DDP Team,' is run by some guy named 'tnls.' Once infected you can see the malware 'phoning home' to receive further instructions, probably to steal all of the user's credentials and send them to the malware writer."

Panda Security, working with Defense Intelligence and law enforcement authorities, last week announced the shutdown of the Mariposa botnet and the arrest of its three alleged ringleaders by Spanish police.

The botnet is said to have stolen account information and other sensitive data from an estimated 12.7 million compromised IP addresses belonging to individuals, companies, and other organizations across 190 countries.

The botnet spread through P2P networks, USB drives, and MSN links, according to Panda.

And that appears to be how the malware spreads from PCs to phones. Bustamante says that a colleague noticed the phone attempt to infect her computer after she plugged it into a USB port and saw her Panda Cloud Antivirus detect malicious autorun.inf and autorun.exe files.

In comments following up on his post, Bustamante says the malware appears to reside on the memory card rather than in Android's file system. "It could be a malicious employee, a bad batch, provided by the manufacturer, lack of QA or a returned and refurbished unit," he speculates.

A spokesperson for Vodaphone wasn't immediately available.