Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.
Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.
The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.
A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:
00129953 |. 81F2 736C6E74        |XOR EDX,746E6C73 ; â€tnlsâ€
The Command & Control servers which it connects to via UDP to receive instructions are:
mx5.nadnadzz2.info
mx5.channeltrb123trb.com
mx5.ka3ek2.com
Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.
Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days 🙁
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
41 comments
The same as many laptops on big stores and other distributors. Can found this and many other on teh 50% of new selled laptops and pcs “Clone made” or with many aplications as Office, Nero, etc “B series”.
And it’s real.
Best regards
Very interesting. I’m curious though, have you looked at more than one of these phones? Are these results consistent. If you are correct then I’m going to discuss this on my digital forensics podcast in the next week or so.
Im curious if additional insights on this will come to light. This shows quite clearly, that providers and vendors dont really care about what quality meant back when I bought my first or second mobile phone. I am sure, if you ask Vodafone about it, the will will come up with an excuse like “We are nor responsible for the data on the phone – in this case you need to ask another company X!” and if you then ask X, they will direct you to someone else called Y. Thats exactly the reason, why customers should not trust a company, thats not in charge of the WHOLE product they sell.
Outsourcing does not work if you try to source out brains and/or QA.
@Lee Whitfield We are buying some more units of the same model to see if they are also infected.
@Pedro Bustamante My instinct is that these are the memory cards as a Windows machines won’t/can’t mount the YAFFS2 filesystem found on Android phones. If it IS the memory cards it may be a malicious employee or a bad batch. Either way, Vodafone need some QA procedures in place to stop this from happening.
Hi there,
I own a HTC Magic (Vodafone Spain) since january and its memory card it’s not infected, as Lee Whitfield says, maybe it’s just a malicious employee…
@Lee Whitfield It’s the memory card for sure, not the actual Android filesystem. It could be a malicious employee, a bad batch, provided by the manufacturer, lack of QA or a returned and refurbished unit. But as you said, either way Vodafone needs to better QA these before shipping out to customers.
and now? I have a HTC Magic too. what do i do?
@iñaki Plug it into your PC and scan the phone’s card with an updated antivirus. If it does in fact find something, you can either clean it out with the AV or perform a full reset of the phone. To do this, turn it off and press the “home” and “back arrow” key. After 20 seconds a reset screen will appear. Pressing the “menu” button will cause the phone to reboot with factory settings.
Some people have asked for this information:
Firmware version: 1.5
Base band version: 62.50S.20.17U_2.22.19.26I
Kernel version: 2.6.27-00392-g8312baf
Android-build@apa27 #72
Compilation #: CRB17
Regardless, I don’t think this has to do with factory settings, but rather with poor QA process of refurbished phones.
Hi Pedro,
Did she open the packed phone’s box there at the Lab for the first time? I’m wondering if she plugged the phone at her home, get the Card infected, and then brought it to Panda Labs…
@Urko Nope, she plugged it in to her work PC, about 30 meters away from my desk. She called me and I immediately went to her PC to analyze it manually. The phone came with the malicious files out of the box.
@Pedro Bustamante
Resetting to factory settings will not wipe anything on the SD card.
Checked my Magic, no viruses or trojans in the microSD. There’s another possibility, bad QA from the supplier of the 8 GB cards, I’m almost sure that they aren’t manufactured directly by HTC.
Hi Pedro,
where did she buy the HTC Magic? Did she buy the mobile phone via online shop? In which country happened this?
@Pedro Bustamante
Its sounds me a bit strange that nobody else in Spain pointed that problem before at least seeing how easly your AV was able to detect the malware.
I know that I’m speculating but…
My version of the story is: your colleague bought the HTC in a shop (they usualy are not oficial Vodafone shop but franchises). Before delivering the phone probably the device o the memory card was used in a PC in the shop that was previously infected.
Then it’s clear that somebody from that shop is going to have to answer a lot of question to Vodafone and probably going to be in an horrible situation. But what it’s clear is that the HTC are not infected, the memory card are!
I think that you should be a little less dramatic in your headlines unless the only thing you are looking for is the press spotlight!
cheers.
The best practice when getting new media is to wipe it and then format it. I know this is a pain but by doing this you avoid these problems.
There is little doubt in my mind that Vodafone aren’t totally at fault for this. Can you imagine if every phone manufacturer had to check every single memory card that went out of the door?
@Lee Whitfield
how hard is it to format every memory card that goes out the door? Going to be cheaper than what a class action settlement would cost.
I have one of these HTC Magic owned last week,
What can I do?
Go to a Vodafone office? try to remove de malware?
Thank you!
@Lee Whitfield Well I would definately expect Vodafone and any other company which distributes gadgets to make sure they are shipped without malware. Keep in mind that 99% of the users out there won’t know they have to wipe the card before using it. Even if they did, after they plug it into the PC via USB to wipe it, the autorun would have already infected their PCs before they get the chance of wiping the card.
Lee, well SOMEONE ought to be checking every single memory card that goes out the door. And since its Vodaphone’s reputation on the line, either they do the check or they make damn sure that their supplies can certify them.
@Tronic7 & @for sure nobody from VodaFone the phone was purchased from Vodafone’s online store at their official website. It was delivered completely packaged (not opened) to our office.
Interesting post from zdnet recalls similar cases from the past:
2006 – Small Number of Video iPods Shipped With Windows Virus
2006 – HP Printer Drivers Infected
2006 – McDonalds’ free Trojan: “Would you like malware with that?â€
2007 – TomTom ships malware on sat-nav
2007 – Seagate ships virus-infected hard drives
2008 – HP ships USB sticks with malware
2008 – Best Buy issues security warning on Insignia digital picture frames
2008 – Asus ships Eee Box PCs with malware
2008 – Samsung Digital Photo Frame shipped with malware
2008 – Malware found in Lenovo software package
2008 – Telstra distributes malware-infected USB drives at AusCERT
2009 – Malware Found On Brand-New Windows Netbook
2010 – Energizer DUO USB Battery Charger Includes Backdoor
Pedro,
Thanks for sharing this with us. Expected that Vodafone would have a better QA Dept that ensured safety of its clients.
@Lee Whitfield
Checking every memory card would be .. a good QA move.
@Pedro Bustamante
Well, i think is a bit categorical to say “”Vodafone distributes Mariposa botnet””, if i read a headline like that i suppose “okay, these Panda guys have tested a representative percentage of phones”, but i’m afraid you have tested only one, do you really think it is enough to say an statement like that? Have you checked it with vodafone or some shops? Have you bought more phones and tested it? I expected you were more serious, and after that, i would expect vodafone’s press note.
You should kick your IT guy. Autorun should be disabled via group policy across your network. Had that been done, this would be a total non-issue. Untrusted media should NEVER be allowed to automatically run applications on any system on your network.
@Pedro Bustamante
Interesting, How did she knew she got a virus on her phone at the first time?
Maybe she is the godless.
WOW! Android is the future!! If this were the iPhone we wouldn’t here the end of it. Nothing but a bunch of apologists here, nothing unusual…nothing to see. Of course this is all Vodaphones fault.
@Pedro Bustamante
I also own a Magic since June last year, and the SD card is unaffected by this problem on SFR network (Vodafone’s name in France)
Regards,
Its possible that the malware found its way on to the phone’s memory card via the system that was used by the QA engineer.. Needless to say, Vodafone needs to put some stringent checks on the QA process and possibly run AV scans on their internal machines.. I wonder how many other phones (other brands possibly) may have been infected. The HTC phone here is merely the carrier since Android and Windows malware don’t mix. User’s should be extremely careful when handling USB drives and should not resort to blatant double-clicks on USB drives.
We have 16 HTC Magics purchased in the last 3 weeks, and no Mariposas!
Am I the only one who can detect the pungent odour of Snake Oil in this ridiculous beat-up ?
For reference, these are the reports of the files found on the HTC Magic:
Mariposa:
http://www.virustotal.com/analisis/630fb897d18ffdce8557eeab1a361d9bdd39b883fafd74f357ecef4ffb243eb8-1268225656
MD5: c45a27f8979ff98a982b584ddc1fc58d
Lineage:
http://www.virustotal.com/analisis/c2759b4943c6baca2cd51dc0326936de8d91af94c03a827b9ffd817bcb410ebd-1265221714
MD5: 97893d7c4984cc1b6e41c4ef598bb9d6
@for sure nobody from VodaFone
I agree. I would say the chances of this infection coming from Vodafone are slim to none. It’s more likely that this phone was connected to an infected machine at the shop or maybe it was bought, used on an infected machine, returned to the shop for a refund for whatever reason and then sold as new to Pedro’s colleague. Vodafone will already have stringent checks as this type of mistake could cost a lot of money to put right.
I could tell you horror stories about Panda (we’ve been stuck with them for the last 5 years!!!) and their poor QA, poor support and poor protection in general so I suppose it is possible for a company to miss this kind of thing but I can safely say, this story is a load of shite!
maybe that’s the magic stuff… and all guys, you ruin it… 🙂
@Pedro Bustamante
THIS IS NOT AN ANDRIOD OR HTC PROBLEM. Wiping your phone will not cure the problem because the virus is not on the phone. The phone’s andriod OS system is on flash memory formatted to a file system that Windows canot even read. Wiping the phone to factory default will NOT remove the virus!
People who use Windows on their PCs and ANY mobile device should be careful. This exact thing could happen with all smart phones, thumb drives, digital cameras, pickture frames and media players. be ESPECIALLY wary of those obscure Chinese off-brand devices like the iPhone knock-offs and other USB-connectable devices that are on eBay.
Here is probably what happened: a Vodaphone customer (one with very poor computer skills) bought a Magic and plugged it into their infected computer, mounting the installed SD card and instantly loading the malware. This clueless user probably couldn’t figure out their phone, or else thought it was “broken” because their infected computer was interfering with the sync and file transfer functionality of the phone so they returned it.
Vodaphone probably just wiped to factory default and ran their automated QA (not even connecting the phone to a Windows PC or changing the SD card) and went “hmmm…CPU OK, Radio OK, RAM OK, ROM checksum OK”…then they re-packed it and called it “fixed”. Unacceptable but unsurprising (you would be AMAZED at how many “broken” computers and related devices are returned by clueless customers purely because of malware or misconfiguration–it in fact accounts for MOST returns now!). Your “refurbished” computer or device is probably exactly the same as what was returned, just with a factory software restored. And as I said, on the Magic and most other smart phones, the in-built software is not residing on the SD card and so it is quite likely that any malware on it will remain after a factory restore. Stupid, clueless tech support!
This is not new. Those digital picture frames still very often come with similar infections, as have cameras and so forth..and the problem is mostly with refurbished devices. Some hints:
* Because Windows (even Vista and 7) are a prime target because of their market share and still have some fundamental flaws in haow they manage security you should NEVER EVER have “autorun” enabled because it is far too exploited by malware
* Make sure your anti-virus is configured to scan removable devices that you leave connected (this option can be disabled but you shouldn’t)
* Be very cautious with refurbished and used equipment. Do not plug it into the ethernet or your other computer equipment until you’ve had a look . Andriods should come with a decent filesystem browser such as ASTRO or similar so you can do this (it bugs me that they do not!). Manufacturers focus on HARDWARE it seems when they refurbish and QA on software issues is still extremely shoddy–usually limited to some automated system-image-restore–so you have to be careful about things like included SD cards that those processes do not consider.
complain all you want. But the final point is:
VODAFONE SPREADS MALWARE, MEANING somewhere along the process THEY DON’T CARE ENOUGH ABOUT QA, SO FINALLY MALWARE ARRIVES TO A FINAL USER INSIDE A “BRAND NEW” PRODUCT, AND FINAL USER IS NOT GUILTY: BLAME VODAFONE!
I hate to scream at the internet…
thanks Pedro, this information is VERY useful. I’ll never trust again a device with a flash card inside.
hi i agree
@David in Tucson – Wow the only voice of reason in this whole thread and you’ve been completely ignored. If the corporation management structure of the world would hire qualified IT people and PAY THEM WHAT they’re worth this would be a moot point. David in Tucson I applaud you and hold you in the highest regard!
Back to the discussion at hand regarding the assertion that vodafone is a channel for malicious apps/spambots.
I manage all Web initiatives for a Global CPG Company and will confirm this as fact based on data accumulated from daily security server audits spanning 6+ months. Based on the aggregate data, vodafone_spain_network contributes to approximately 7.86% of malicious scans on the Web.
On a side note, the CEO of vodafone, Vittorio Colao, on Feb 16 2010 asserted that Google doesn’t have enough competition in the online advertising space and urged more regulations too impede Google’s progress. Essentially, Colao doesn’t like Google entering the mobile arena and wants to slow Google’s entry. What I find amusing is that vodafone has been impotent/indifferent in controlling and preventing the continued spread of malware on it’s network which negatively impacts the public. Of all the companies that need some form of regulation, it should be vodafone for the sake of public welfare.
what does this website have to do with panda’s