Memory card, not Vodafone Magic itself, responsible for Android botnet strike

By last updated

Stories have been going around that a botnet was being spread by the HTC Magic on Vodafone. Specifically, it was Panda Security (opens in new tab) that sounded the alarm after they plugged in said Android phone and had all kinds of alarms go off. However, it turns out it was an infected memory card that was the culprit, and not a bad batch of phones, as original post author Pedro Bustamante later points out in the comments.

It’s the memory card for sure, not the actual Android filesystem. It could be a malicious employee, a bad batch, provided by the manufacturer, lack of QA or a returned and refurbished unit. But as you said, either way Vodafone needs to better QA these before shipping out to customers.

Pedro's right, there should be better Q&A to keep this from happening. But there also should be a little more discretion used before we see headlines such as "Vodafone distributes Mariposa botnet." (And the post itself hasn't been updated?) An infected memory card is bad, but one bad apple does not an outbreak make. The sky's not falling, folks.

Phil Nickinson
Phil Nickinson
4 Comments
  • I agree, a lot more discretion should have been use in initially reporting the story. It reminds me of those Digital picture frames being sold in stores with viruses pre-installed.
  • What I want to know is how did the virus on the card manage to link up to the botnet if it did not have root access? Was the phone the card was put into a rooted phone? This is the only way I can think of a virus gaining root access on a Linux / Android system, unless it was programmed with the algorithms that roots a HTC Magic. But even then, permissions would have had to be obtained. This does raise some interesting security issues for those of us with Rooted and Booted Android Phones as by rooting them we could leave them exposed to exploits like this. This is, of course, assuming that the virus actually got that far and was not just detected on the card and dealt with before it could do anything. Can someone post up a more detailed account please? Phil.
  • Good questions. You try the link the Panda post?
  • @Phil: the report did not say that the phone itself connected to the botnet. What occurred was Panda Security reported the phone's (actually the card's as it turns out) infection was detected by the PC's Panda Cloud Security program after the phone was connected via USB. The virus would then be transferred to the PC and would connect to the botnet from there. Exerpts below: "The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into. - A quick analysis of the malware reveals that it is in fact a Mariposa bot client. - Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer." I'm assuming the last part was done on an unprotected isolated test PC to analyze the activity of the malware, since the initial infection was detected by the security program of the first PC the phone was connected to.