Home > Malware > Vodafone distributes Mariposa botnet

Vodafone distributes Mariposa botnet

March 8th, 2010

Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won’t be the last.

Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. “Neat” she said. Vodafone distributes this phone to its userbase in some European countries and it seems affordable as you can get it for 0€ or 1€ under certain conditions.

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into.

A quick analysis of the malware reveals that it is in fact a Mariposa bot client. This one, unlike the one announced last week which was run by spanish hacker group “DDP Team”, is run by some guy named “tnls” as the botnet-control mechanism shows:

00129953  |.  81F2 736C6E74         |XOR EDX,746E6C73 ; ”tnls”

The Command & Control servers which it connects to via UDP to receive instructions are:


Once infected you can see the malware “phoning home” to receive further instructions, probably to steal all of the user’s credentials and send them to the malware writer.


Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware. I wonder who’s doing QA at Vodafone and HTC these days :(

  1. March 8th, 2010 at 17:26 | #1

    The same as many laptops on big stores and other distributors. Can found this and many other on teh 50% of new selled laptops and pcs “Clone made” or with many aplications as Office, Nero, etc “B series”.

    And it’s real.

    Best regards

  2. March 8th, 2010 at 17:35 | #2

    Very interesting. I’m curious though, have you looked at more than one of these phones? Are these results consistent. If you are correct then I’m going to discuss this on my digital forensics podcast in the next week or so.

  3. Peter Piksa
    March 8th, 2010 at 17:43 | #3

    Im curious if additional insights on this will come to light. This shows quite clearly, that providers and vendors dont really care about what quality meant back when I bought my first or second mobile phone. I am sure, if you ask Vodafone about it, the will will come up with an excuse like “We are nor responsible for the data on the phone – in this case you need to ask another company X!” and if you then ask X, they will direct you to someone else called Y. Thats exactly the reason, why customers should not trust a company, thats not in charge of the WHOLE product they sell.

    Outsourcing does not work if you try to source out brains and/or QA.

  4. Pedro Bustamante
    March 8th, 2010 at 18:46 | #4

    @Lee Whitfield We are buying some more units of the same model to see if they are also infected.

  5. March 8th, 2010 at 19:23 | #5

    @Pedro Bustamante My instinct is that these are the memory cards as a Windows machines won’t/can’t mount the YAFFS2 filesystem found on Android phones. If it IS the memory cards it may be a malicious employee or a bad batch. Either way, Vodafone need some QA procedures in place to stop this from happening.

  6. Jon
    March 8th, 2010 at 20:32 | #6

    Hi there,
    I own a HTC Magic (Vodafone Spain) since january and its memory card it’s not infected, as Lee Whitfield says, maybe it’s just a malicious employee…

  7. Pedro Bustamante
    March 8th, 2010 at 22:21 | #7

    @Lee Whitfield It’s the memory card for sure, not the actual Android filesystem. It could be a malicious employee, a bad batch, provided by the manufacturer, lack of QA or a returned and refurbished unit. But as you said, either way Vodafone needs to better QA these before shipping out to customers.

  8. iñaki
    March 9th, 2010 at 05:45 | #8

    and now? I have a HTC Magic too. what do i do?

  9. Pedro Bustamante
    March 9th, 2010 at 09:14 | #9

    @iñaki Plug it into your PC and scan the phone’s card with an updated antivirus. If it does in fact find something, you can either clean it out with the AV or perform a full reset of the phone. To do this, turn it off and press the “home” and “back arrow” key. After 20 seconds a reset screen will appear. Pressing the “menu” button will cause the phone to reboot with factory settings.

  10. Pedro Bustamante
    March 9th, 2010 at 10:15 | #10

    Some people have asked for this information:
    Firmware version: 1.5
    Base band version: 62.50S.20.17U_2.22.19.26I
    Kernel version: 2.6.27-00392-g8312baf
    Android-build@apa27 #72
    Compilation #: CRB17
    Regardless, I don’t think this has to do with factory settings, but rather with poor QA process of refurbished phones.

  11. Urko
    March 9th, 2010 at 10:48 | #11

    Hi Pedro,

    Did she open the packed phone’s box there at the Lab for the first time? I’m wondering if she plugged the phone at her home, get the Card infected, and then brought it to Panda Labs…

  12. Pedro Bustamante
    March 9th, 2010 at 11:26 | #12

    @Urko Nope, she plugged it in to her work PC, about 30 meters away from my desk. She called me and I immediately went to her PC to analyze it manually. The phone came with the malicious files out of the box.

  13. Michael
    March 9th, 2010 at 12:36 | #13

    @Pedro Bustamante

    Resetting to factory settings will not wipe anything on the SD card.

  14. Fernando
    March 9th, 2010 at 12:50 | #14

    Checked my Magic, no viruses or trojans in the microSD. There’s another possibility, bad QA from the supplier of the 8 GB cards, I’m almost sure that they aren’t manufactured directly by HTC.

  15. Tronic7
    March 9th, 2010 at 14:35 | #15

    Hi Pedro,

    where did she buy the HTC Magic? Did she buy the mobile phone via online shop? In which country happened this?

  16. March 9th, 2010 at 15:10 | #16

    @Pedro Bustamante
    Its sounds me a bit strange that nobody else in Spain pointed that problem before at least seeing how easly your AV was able to detect the malware.
    I know that I’m speculating but…
    My version of the story is: your colleague bought the HTC in a shop (they usualy are not oficial Vodafone shop but franchises). Before delivering the phone probably the device o the memory card was used in a PC in the shop that was previously infected.

    Then it’s clear that somebody from that shop is going to have to answer a lot of question to Vodafone and probably going to be in an horrible situation. But what it’s clear is that the HTC are not infected, the memory card are!

    I think that you should be a little less dramatic in your headlines unless the only thing you are looking for is the press spotlight!


  17. March 9th, 2010 at 15:54 | #17

    The best practice when getting new media is to wipe it and then format it. I know this is a pain but by doing this you avoid these problems.

    There is little doubt in my mind that Vodafone aren’t totally at fault for this. Can you imagine if every phone manufacturer had to check every single memory card that went out of the door?

  18. tony
    March 9th, 2010 at 16:08 | #18

    @Lee Whitfield

    how hard is it to format every memory card that goes out the door? Going to be cheaper than what a class action settlement would cost.

  19. ion
    March 9th, 2010 at 16:53 | #19

    I have one of these HTC Magic owned last week,
    What can I do?
    Go to a Vodafone office? try to remove de malware?
    Thank you!

  20. Pedro Bustamante
    March 9th, 2010 at 17:15 | #20

    @Lee Whitfield Well I would definately expect Vodafone and any other company which distributes gadgets to make sure they are shipped without malware. Keep in mind that 99% of the users out there won’t know they have to wipe the card before using it. Even if they did, after they plug it into the PC via USB to wipe it, the autorun would have already infected their PCs before they get the chance of wiping the card.

  21. March 9th, 2010 at 17:19 | #21

    Lee, well SOMEONE ought to be checking every single memory card that goes out the door. And since its Vodaphone’s reputation on the line, either they do the check or they make damn sure that their supplies can certify them.

  22. Pedro Bustamante
    March 9th, 2010 at 17:21 | #22

    @Tronic7 & @for sure nobody from VodaFone the phone was purchased from Vodafone’s online store at their official website. It was delivered completely packaged (not opened) to our office.

  23. Pedro Bustamante
  24. March 9th, 2010 at 18:23 | #24


    Thanks for sharing this with us. Expected that Vodafone would have a better QA Dept that ensured safety of its clients.

  25. cpu52362
    March 9th, 2010 at 19:57 | #25

    @Lee Whitfield
    Checking every memory card would be .. a good QA move.

  26. skeptical
    March 9th, 2010 at 22:53 | #26

    @Pedro Bustamante

    Well, i think is a bit categorical to say “”Vodafone distributes Mariposa botnet”", if i read a headline like that i suppose “okay, these Panda guys have tested a representative percentage of phones”, but i’m afraid you have tested only one, do you really think it is enough to say an statement like that? Have you checked it with vodafone or some shops? Have you bought more phones and tested it? I expected you were more serious, and after that, i would expect vodafone’s press note.

  27. David in Tucson
    March 9th, 2010 at 23:12 | #27

    You should kick your IT guy. Autorun should be disabled via group policy across your network. Had that been done, this would be a total non-issue. Untrusted media should NEVER be allowed to automatically run applications on any system on your network.

  28. rew
    March 10th, 2010 at 02:28 | #28

    @Pedro Bustamante
    Interesting, How did she knew she got a virus on her phone at the first time?
    Maybe she is the godless.

  29. JS
    March 10th, 2010 at 02:34 | #29

    WOW! Android is the future!! If this were the iPhone we wouldn’t here the end of it. Nothing but a bunch of apologists here, nothing unusual…nothing to see. Of course this is all Vodaphones fault.

  30. Aquarius
    March 10th, 2010 at 08:00 | #30

    @Pedro Bustamante
    I also own a Magic since June last year, and the SD card is unaffected by this problem on SFR network (Vodafone’s name in France)


  31. March 10th, 2010 at 09:39 | #31

    Its possible that the malware found its way on to the phone’s memory card via the system that was used by the QA engineer.. Needless to say, Vodafone needs to put some stringent checks on the QA process and possibly run AV scans on their internal machines.. I wonder how many other phones (other brands possibly) may have been infected. The HTC phone here is merely the carrier since Android and Windows malware don’t mix. User’s should be extremely careful when handling USB drives and should not resort to blatant double-clicks on USB drives.

  32. YodaVoda
    March 10th, 2010 at 12:46 | #32

    We have 16 HTC Magics purchased in the last 3 weeks, and no Mariposas!

    Am I the only one who can detect the pungent odour of Snake Oil in this ridiculous beat-up ?

  33. Pedro Bustamante
    March 10th, 2010 at 12:58 | #33

    For reference, these are the reports of the files found on the HTC Magic:

    MD5: c45a27f8979ff98a982b584ddc1fc58d

    MD5: 97893d7c4984cc1b6e41c4ef598bb9d6

  34. Pat Mckeon
    March 10th, 2010 at 13:47 | #34

    @for sure nobody from VodaFone
    I agree. I would say the chances of this infection coming from Vodafone are slim to none. It’s more likely that this phone was connected to an infected machine at the shop or maybe it was bought, used on an infected machine, returned to the shop for a refund for whatever reason and then sold as new to Pedro’s colleague. Vodafone will already have stringent checks as this type of mistake could cost a lot of money to put right.

    I could tell you horror stories about Panda (we’ve been stuck with them for the last 5 years!!!) and their poor QA, poor support and poor protection in general so I suppose it is possible for a company to miss this kind of thing but I can safely say, this story is a load of shite!

  35. julian
    March 10th, 2010 at 20:01 | #35

    maybe that’s the magic stuff… and all guys, you ruin it… :)

  36. MSH
    March 11th, 2010 at 15:54 | #36

    @Pedro Bustamante

    THIS IS NOT AN ANDRIOD OR HTC PROBLEM. Wiping your phone will not cure the problem because the virus is not on the phone. The phone’s andriod OS system is on flash memory formatted to a file system that Windows canot even read. Wiping the phone to factory default will NOT remove the virus!

    People who use Windows on their PCs and ANY mobile device should be careful. This exact thing could happen with all smart phones, thumb drives, digital cameras, pickture frames and media players. be ESPECIALLY wary of those obscure Chinese off-brand devices like the iPhone knock-offs and other USB-connectable devices that are on eBay.

    Here is probably what happened: a Vodaphone customer (one with very poor computer skills) bought a Magic and plugged it into their infected computer, mounting the installed SD card and instantly loading the malware. This clueless user probably couldn’t figure out their phone, or else thought it was “broken” because their infected computer was interfering with the sync and file transfer functionality of the phone so they returned it.

    Vodaphone probably just wiped to factory default and ran their automated QA (not even connecting the phone to a Windows PC or changing the SD card) and went “hmmm…CPU OK, Radio OK, RAM OK, ROM checksum OK”…then they re-packed it and called it “fixed”. Unacceptable but unsurprising (you would be AMAZED at how many “broken” computers and related devices are returned by clueless customers purely because of malware or misconfiguration–it in fact accounts for MOST returns now!). Your “refurbished” computer or device is probably exactly the same as what was returned, just with a factory software restored. And as I said, on the Magic and most other smart phones, the in-built software is not residing on the SD card and so it is quite likely that any malware on it will remain after a factory restore. Stupid, clueless tech support!

    This is not new. Those digital picture frames still very often come with similar infections, as have cameras and so forth..and the problem is mostly with refurbished devices. Some hints:

    * Because Windows (even Vista and 7) are a prime target because of their market share and still have some fundamental flaws in haow they manage security you should NEVER EVER have “autorun” enabled because it is far too exploited by malware

    * Make sure your anti-virus is configured to scan removable devices that you leave connected (this option can be disabled but you shouldn’t)

    * Be very cautious with refurbished and used equipment. Do not plug it into the ethernet or your other computer equipment until you’ve had a look . Andriods should come with a decent filesystem browser such as ASTRO or similar so you can do this (it bugs me that they do not!). Manufacturers focus on HARDWARE it seems when they refurbish and QA on software issues is still extremely shoddy–usually limited to some automated system-image-restore–so you have to be careful about things like included SD cards that those processes do not consider.

  37. miguel
    March 12th, 2010 at 11:25 | #37

    complain all you want. But the final point is:


    I hate to scream at the internet…

    thanks Pedro, this information is VERY useful. I’ll never trust again a device with a flash card inside.

  38. March 12th, 2010 at 11:29 | #38

    hi i agree

  39. Sysadmin
    March 12th, 2010 at 22:34 | #39

    @David in Tucson – Wow the only voice of reason in this whole thread and you’ve been completely ignored. If the corporation management structure of the world would hire qualified IT people and PAY THEM WHAT they’re worth this would be a moot point. David in Tucson I applaud you and hold you in the highest regard!

  40. wwwXpert
    April 16th, 2010 at 17:07 | #40

    Back to the discussion at hand regarding the assertion that vodafone is a channel for malicious apps/spambots.

    I manage all Web initiatives for a Global CPG Company and will confirm this as fact based on data accumulated from daily security server audits spanning 6+ months. Based on the aggregate data, vodafone_spain_network contributes to approximately 7.86% of malicious scans on the Web.

    On a side note, the CEO of vodafone, Vittorio Colao, on Feb 16 2010 asserted that Google doesn’t have enough competition in the online advertising space and urged more regulations too impede Google’s progress. Essentially, Colao doesn’t like Google entering the mobile arena and wants to slow Google’s entry. What I find amusing is that vodafone has been impotent/indifferent in controlling and preventing the continued spread of malware on it’s network which negatively impacts the public. Of all the companies that need some form of regulation, it should be vodafone for the sake of public welfare.

  41. LIL 4
    May 21st, 2010 at 14:34 | #41

    what does this website have to do with panda’s

Comments are closed.