back to article Vodafone ships Mariposa-infected HTC Magic

Vodafone has been blamed for shipping Mariposa botnet malware and other nasties on a HTC Magic Android smartphones it supplied. The mobile phone giant's Spanish arm supplied an HTC Magic smartphone preloaded with malware that attempted to establish a backdoor for stealing information on connected PCs during the synchronisation …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Umm...

    ...I am a bit confused (if not down-right stupid). Conficker is a Windows virus. I assume the Mariposa bot is also a Windows bot. How can these infect Android which is a flavour of Linux?

    Actually, never mind that; they could get included during application deployment to the phone when being manufactured. How the heck can this malware even run? Won't they depend on Windows hooks?

    1. TeeCee Gold badge

      No mystery

      "...attempted to establish a backdoor.........on connected PCs during the synchronisation process."

      So the payload's on the device and they've somehow managed to hook into the sync process to install it where it can run. I'll bet an Android device can look like a connected drive to a Win PC for ease of copying back and forth and they've gone with the age-old autorun trick.

      Were that to be so (the "appear as a drive" bit) the Conficker infection is easy to explain as that's how it spreads, it's never relied on the thing that presents the drive being able to run the code. I wouldn't mind a side-bet on the Mariposa infection being down to somebody retrofitting this replication mechanism to same.

      1. Eponymous Cowherd
        Thumb Down

        Androids don't synch with PCs....

        Android phones don't synchronise with "connected PCs". You can mount the SD card and copy files, but nothing happens automagically unless you are stupid enough to have auto-run enabled on your PC.

        (Android phones synch calendars, contacts, etc, with your Google account and, obviously, do that without being connected to a PC and is why there is no Android equivalent to ActiveSync. iTunes, etc ).

    2. Anonymous Coward
      Anonymous Coward

      it doesn't run on the phone

      It gets onto the host computer, usually during sync.. and probably depends on some user curiosity to KLICKEN SIE HIER, and runs like normal malware. The android box no more needs to run it than does an infected digital picture frame.

    3. Keith Oldham

      Re : Umm..

      Looks like the phone is just the vector for loading a Windows PC with the malware. There's an autorun.inf involved ( see link in article)

    4. The Original Ash

      How can it even run?

      By windows mounting removable storage and automatically executing autorun.inf scripts by default. The same way as any USB-key distributed virus.

      The phone wasn't the target: They synchronising Windows PC was.

  2. spegru
    Linux

    Just for a moment

    I thought we had a real live linux (or at least linux-like) virus!

    But it's only for the windose PC connection......

    phew!

  3. Anonymous Coward
    Thumb Down

    It didn't happen

    Mention it on their forums and it gets pulled in under two minutes. FAF

    1. Anonymous Coward
      Grenade

      Oh, my aching belly button!

      Comments questioning the circumstances and validity of this sensational botnet "find" are pulled in under two minutes on Panda Forums ?

      I wonder why ?

  4. Bilgepipe
    Jobs Halo

    iPhone

    Should have bought an iPhone. Apple's legendary tight-fisted control over what can be installed on their phones - along with the devices inherent security (you know, the security that prevents innocent users from doing what they want to with it) would have prevented this.

    Feel free to downvote me - doesn't make me wrong. :-)

    1. davros62

      Vodafone ships Mariposa-infected HTC Magic

      It doesn't make you right either dude. :)

      The issue here is nothing to do with Android or the HTC phone. The infection came from the SDCard, which may or may not have been supplied by Vodafone, but probably didn't come from HTC.

      For all we know the sdcard may have come from the researcher herself or the friend who bought the phone.

      Apple's control (tight fisted or otherwise) doesn't stop the iPhone (or any iPod) being vulnerable to exactly the same problem if you enable it as a USB data drive and connect it to an infected PC.

      There is nothing on the Iphone to detect or prevent the same thing happening.

  5. Skrrp
    WTF?

    I has a confused

    After a little clicking it appears that it is a Windoze malware.

    I have no idea what this synch process is that is mentioned in the article, but I have never installed the official driver pack to see what it can do. All of my synch goes OTA to Google (soul: sold, yes).

    What the author may be referring to is when the phone was hooked up over USB to use the SD card as mounted storage. Then it becomes the same as any USB flash device and has the same threats to Windoze.

  6. jubtastic1
    Stop

    Infected like a USB Stick

    Just another Autorun file on a USB Mass Storage mount, absolutely no device OS interaction whatsoever.

    Only a loon would claim a USB Stick is "riddled with bots"

    It's also only one phone, So personally I would have gone with the "Vodaphone sells ex-demo phone as new, comes with malware" angle, but I'm just crazy like that.

    1. Danny 14
      Stop

      well I would

      if I just bought it from a vodaphone shop (maybe to give to my mum or some other not so technical person) i'd be pretty pissed.

  7. Tim Warren

    Virus Scanners on Phones...

    It's only a matter of time until we need virus scanners on our phones. Then, they too will run like dogs, and the battery life will be measured in minutes.... :-(

  8. Eponymous Cowherd
    Thumb Down

    Get your facts straight

    It wasn't the phone that had the malware on it, it was the micro SD card that was supplied with it.

    I would guess that this was a re-issued phone and it was the previous owner who, deliberately or otherwise, infected the SD card.

    I assume Vodafone did a factory reset on the phone before re-issuing it, but forgot about the card (which isn't affected by a factory reset).

  9. Tim #3

    Greece again?

    In legal terms, is there a distinction between a botnet and an intercept, if both potentially are gathering the same data? And were I a super villain or a govt agency it could be easier to buy a share in a botnet than to set up an intercept. Spooky that it's Vodafone who have this issue - and no wonder they want people to forget it happened as the last time cost them dearly (indeed they were fined eur76m).

    http://www.theregister.co.uk/2006/02/06/greece_mobile_snooping_scandal/

  10. PolicyWatcher
    Coat

    Open mouth. Carefully insert foot...

    "Vodafone acknowledged the problem but said that the incident was an isolated problem, which came to light because the customer working for Spanish anti-virus firm Panda Security."

    That appears to suggest that in Vodaphone's mind, it's only a problem if the malware is detected by someone who knows enough to understand what's happening...

    1. Mad Hacker

      That was my understanding as well

      Yeah, it was an isolated case... that they got caught. Usually... they don't get caught.

  11. Paul_Murphy

    My question is:

    How can this possibly be an isolated incident?

    Unless the supplier knew who it was going to and decided to cause them hassle then it would mean that every phone (presumably from the same batch when installed at the factory) must have the same software on it - and it's only that it's been discovered that it's come to light.

    ttfn

    1. Mad Hacker

      isolated

      I think what they meant was someone detecting that they were sending out malware infected hardware was an isolated incident. That usually doesn't happen. Nothing isolated about them sending out malware infected hardware though. :P

    2. davros62

      re: My question is

      @Paul Murphy:

      While it may be a bit of a reach to claim this as isolated at this stage (other than no one else has reported a problem) I think VF have some justification in claiming this is not a widespread problem.

      These particular malware instances are not difficult to detect with any up to date antivirus product (not just the researchers own product featured so prominently in the article) so the likelihood is that if there were a widespread problem it would have surfaced pretty quickly because a fairly large number of VF Magic users must have connected their new phones to Windows PC's running antiviris software, to copy their music or whatever to the phone .

      My VF Magic arrived in a VF box without the SD card installed, which was a brand new SanDisk 8GB card still in its original wrapper. I doubt it had ever been in a phone.

      I would have liked the journalist to put some effort into determining the actual provenance of the SD Card, wheter supplied by Vodafone, a retailer, the actiuual owner of the phone,or the researcher in question.

  12. DrunkenMessiah
    FAIL

    Wow, talk about bad luck

    So the ONE SD-Card that was infected was sold to an anti-virus worker? That's pretty bad luck for Vodafone.

    And yeah, it's the SD-Card that's infected, not Android. Sort it out.

  13. jonathan rowe
    WTF?

    XXXX takes XXXX extremely seriously

    If I here another company say that again, I will go postal.

    Obviously, you didn't take it seriously, you didn't even consider it all, and didn't put safeguards in place, otherwise it wouldn't of fucking happened in the first place.

  14. drone2903
    FAIL

    Same problem, same message

    Almost word for word, all the time

    /nameofcompany/ takes the security and privacy of its customers extremely seriously and launched an immediate investigation into this incident

    Following extensive Quality Assurance testing, early indications are that this was an isolated local incident

    /nameofcompany/ keeps its security processes under constant review as new threats arise, and we will take all appropriate actions to safeguard our customers’ privacy.

  15. belibouton
    Alien

    Do I smell snake oil ?

    Do I smell snake oil ?

This topic is closed for new posts.

Other stories you might like