HTC Android Phones Found With Malware Pre-Installed

Trailrunner7 writes "Security researchers have found that Vodafone, one of the world's larger wireless providers, is distributing some HTC phones with malware pre-installed on them. The phone, HTC's Magic, runs the Google Android mobile operating system, and is one of the more popular handsets right now. A researcher at Panda Software received one of the handsets recently, and upon attaching it to her PC, found that the phone was pre-loaded with the Mariposa bot client. Mariposa has been in the news of late thanks to some arrests connected to the operation of the botnet."

It's not a bug

[elrous0]

It's an undocumented feature!

Re:

[Pojut]

It's a perfectly cromulent feature. I mean come on...malware preinstalled? That rocks tits to dust.

Impressive!

[AliasMarlowe]

Windows malware preinstalled on a Linux device?
Is it WINE-compatible, and can WINE even be installed on Android phones?

Re:

[nicolas.kassis]

Doesn't need too, the android device acts like a usb disk when attached to a PC. Add that to auto start and boom, you are infected.

Re:

[g253]

Althoug it doesn't auto-mount. At least if you use the usb cable to recharge it at work or something, you're ok.

Re:It's not a bug

[Monkeedude1212]

You think THATS bad - I got my HTC phone with Windows Mobile 6.1 Pre Installed!

Re:

[mcgrew]

From TFS: "Security researchers have found that Vodafone, one of the world's larger wireless providers, is distributing some HTC phones with malware pre-installed on them.

Does Sony own Vodaphone? If so you're probably right; XCP was put in music CDs on purpose. I wouldn't be surprised if this malware was put there on purpose, too, even if Sony doesn't own Vodaphone.

Yes, I'm a cynical old fart, but that comes from getting screwed over for decades. Ah, to be young and idealistic again!

Re:

[m.ducharme]

spyware !== malware.

My understanding was that Mariposa is a bot client, not just spyware.

Pre-installed

[0racle]

No user intervention, IT JUST WORKS

Technically, not installed...

[TheRaven64]

The software in question was an autorun file, so it wasn't installed on the phone, it was just present on the phone's flash drive waiting to try to infect any OS stupid enough to automatically run programs from untrusted devices. It's not like the phone was running a botnet client and using up your data allowance sending spam, it was just a carrier.

Re:Technically, not installed...

[clone53421]

That’s a good distinction to make.

Of course I immediately assumed they didn’t really mean “installed”, since it’s a Windows virus and an Android OS...

Re:Technically, not installed...

[TubeSteak]

I can't seem to get the original panda research page to open, so here's the google cache
http://74.125.113.132/search?q=cache:http://research.pandasecurity.com/vodafone-distributes-mariposa/ [74.125.113.132]

It's funny how TFA treats "a researcher" and "one phone" as "some HTC phones".

Re:Technically, not installed...

[56]

Either way, that's pretty crazy. I wonder if it's a case of a rogue employee putting it there, or if it somehow got installed unntentionally by Vodafone. Or maybe the phone was used, returned, and re-sold without having the micro sd card formatted.

Re:

[beakerMeep]

Or maybe the "colleague" already had these viruses and they hopped over to the USB? Or maybe Panda just made it all up? Kinda hard to say when it's a single phone. But time to get out the pitchforks regardless! I like pitchforks.

Re:

[DarthVain]

"untrusted devices"

Its not like this phone was bought on e-bay or some back ally. This is straight from the manufacture.

It baffles me that products get through QA and carry viruses, Trojans or other malware, I mean come on.

Re:

[sbeacom]

It's not really straight from the manufacturer is it?

I'm not sure about how Vodafone works, but most carriers around here love to brand their phones. The issue it self seems to be isolated to just the Vodafone models so could it be part of the branding they do with the phones?

Re:

[56]

my rogers htc magic has a bunch of rogers images preloaded, and several rogers bookmarks placed in the web-browser. i would be surprised if that's done by htc.

also, i've received phones from rogers that have been bought and then returned, with the other person's content still on the sd card - as could easily have been the case with the phone in question. In my case, there were pictures of the guy's trip to new york left on the phone.

Re:

[nicolas.kassis]

Just checked my HTC magic, no virus found.

Re:

[clone53421]

Interesting. I guess the short version of it is, if you buy a phone, make sure you check it before just plugging it in and letting your computer run stuff off it without permission. You might be the unlucky one.

Then again, you might be lucky... depending on the photos you find.

Re:

[56]

It was a bunch of pictures of this guy and his girlfriend in new york. there was also short video of him playing a guitar with his shirt off - i shit you not. i returned the phone and bitched the rogers guy out, and i got a $50 gift card. i now order my phones directly from rogers over the phone and then have them shipped to rogers video stores, instead of buying the phones in stock at rogers-licensed stores.

Re:

[clone53421]

From what you said, several things are glaringly obvious about your set-up.

No antivirus.

You probably didn’t disable autoruns.

Most importantly, UNPATCHED NETWORKED WINDOWS MACHINES. Your firewall is NOT enough to protect them.

Re:

[cbiltcliffe]

Most importantly, UNPATCHED NETWORKED WINDOWS MACHINES.

Not necessarily.
Some of these types of programs run a single install on the server, which is accessed by all clients over the network.

Meaning, the actual application is loaded from the network drive, not just the data files.

If somebody brought in an old-school file infector, stuck it in the USB port of the server, and ran it on the server, then every exe on the server could be infected. Especially active ones. It would be easy to see the app being run on the server in a development environment. Then, the

Re:

[AndrewNeo]

And if it's an autorun file, that means only XP and earlier, and very stupid users are vulnerable. Vista and 7 don't execute Autorun.exe by default.

Re:Technically, not installed...

[clone53421]

Wrong [wikipedia.org], it was replaced with Autorun.inf, and Vista/7 do execute it if you choose to “Autoplay” the device. I believe the dialog will appear first to ask you what you want to do, but “Autoplay” is the top choice and is selected by default.

Re:

[gparent]

You mean the device will autoplay if you tell it to autoplay? Oh my god!

Re:

[clone53421]

No... it will autoplay if you give it permission to autoplay.

You don’t tell it to. It asks, and the default option is to allow it. All you have to do is click Ok.

Re:

[gparent]

Just like UAC will run programs with admin privileges if you give it permission to run them.

You don't tell it to. It asks. All you have to do is click "Yes".

Re:

[clone53421]

My point was that it will autoplay. They added a level of protection, but not much, and the default choice offered with very little fanfare will result in you being infected.

Microsoft has at least gone to great lengths to make UAC unmistakable, inescapable, and demand your immediate and full attention. The device autoplay dialog isn’t anywhere near as scary as a UAC prompt.

Re:

[gparent]

So me and AndrewNeo are right, then? Autoplay will be ran only if you select it? Good. Carry on.

Re:

[clone53421]

No, you don’t have to select anything. All you have to do is click “Ok” and let the computer do what it thought was the best idea.

Maybe you think a user is “very stupid” if they autoplay a device that’s fresh out of the box? I don’t...

Re:

[gparent]

God damn, you don't have to be so fucking literal about everything. If the user sees "AUTOPLAY" and clicks "OK", then he selected it and approves.

99% of the time the user wants to run autoplay, because he's inserting a CD, DVD or a software disk. The only valid thing to do here is to pop that menu and let him "confirm", as you said.

Re:

[clone53421]

99% of the time the user wants to run autoplay, because he's inserting a CD, DVD or a software disk. The only valid thing to do here is to pop that menu and let him "confirm", as you said.

I agree. And if the Windows Vista/7 users are just presented an option that 99% of the time would have been correct, but in this case it infects their computer with a botnet client, please explain to me how you figure that this statement is correct:

And if it's an autorun file, that means only XP and earlier, and very stupid users are vulnerable.

Re:

[gparent]

Except your bold "WRONG" statement applied to "Vista and 7 don't execute Autorun.exe by default.", which has nothing to do with whether a user is stupid or not. Fact is, Vista and 7 do not execute anything autorun by default. They ask you first.

Re:

[clone53421]

First of all, please learn the difference between <strong> and <a href="">. One is bold, the other is a reference.

Secondly, the “default” choice is still to execute the autorun. You just have to click Ok before it will perform the default action. I never said it autoruns without any prompting whatsoever; it prompts, and the default (highlighted) option is to autorun.

It’s no different from installers that bundle the Google toolbar and the install option is checked by default. It

Re:

[gparent]

First of all, please learn the difference between <strong> and <a href="">. One is bold, the other is a reference.

Don't act like an idiot, it's obvious what I meant.

Secondly, the “default” choice is still to execute the autorun. You just have to click Ok before it will perform the default action. I never said it autoruns without any prompting whatsoever; it prompts, and the default (highlighted) option is to autorun.

So AndrewNeo was right then, not wrong. Jesus. I'm pointing how how you contradicted yourself within one sentence and you wrote an essay about the semantics of autorun.

Re:

[clone53421]

In the world of autorun, that is a massive difference.

Not as massive as you make it out to be. This seems like a no-brainer: yeah, install the drivers. So asking the person does virtually no good in this particular case.

Re:

[clone53421]

Windows Vista and 7 do not execute *anything* by default, unlike XP. They *ask* if you want to execute.

And the default (pre-selected, highlighted) choice is to execute it.

By the way, XP does not execute anything by default, either. It asks you if you want to execute. If you are holding down the Shift key, that means “no”. If you aren’t, that means “go ahead”. It’s just more obscure and less user-friendly than Vista is, and most people don’t realise they had a choice. But then, if they had wanted a choice, they could have learned how to avoid the autoplay: most users

Re:

[gparent]

Quit digging, XP executes it by default - You can prevent it from doing so, but it will execute it unless you know some arcane shortcut that no one knows exists. In Vista/7, the default is to ASK. And it doesn't do *anything* unless you tell it to. That's a WORLD of difference.

Re:

[clone53421]

First of all, I didn’t say there was no difference between XP and Vista. There is. Vista asks. That’s a difference. But the default option is still to execute the autorun. It just asks you before it goes ahead and does the default.

Second, you’re still not understanding the full meaning of “default”. Yes, it asks by default now, and XP didn’t. But the prompt that it displays when it asks also has a “default” option, and that default is to execute the autorun.

Re:

[clone53421]

The push is toward making computers smarter. Instead of waiting for the user to tell the computer what to do, it figures it out for itself and asks the user to confirm before it does it (don’t laugh, I’m being serious).

Smarter computers make it easier for dumb people to install software and surf the web, because all they have to do is click “Ok”.

And smarter computers also make it easier for dumb people to get infected with malware, because they’re too dumb to know when the answ

Re:

[clone53421]

They trusted the manufacturer to sell them a phone that won’t give them brain cancer when they hold it up against their head, and they trusted the manufacturer to sell them a phone that won’t give their computer a virus when they attach it.

Taking a device which creates and uses radio waves and holding it up to your head is just as much a choice as clicking “Ok” when your computer asks you whether it should autoplay the device, and reasonable users don’t expect either action to

Re:

[RalphSleigh]

Maybe, but we can only hope the user will use the menu to select import photos or invoke the phones bloated windows software package instead of autoplaying.

Anyway, even if the user runs the autoplay, it will still need to pop a UAC prompt to do anything nasty (well install itself as part of a botnet, oh for the old days when viruses just deleted your files and popped up a dialogue saying ha ha, no UAC needed there).

Re:

[clone53421]

Typical device installation process: Insert, wait for the hardware drivers to install, Autoplay, confirm UAC, wait until the software drivers install.

You just don’t expect your new hardware to come bundled with malware. It’s that simple.

Hell, I never install the software packages that come with cameras, etc. You don’t need them, they’re bloated, all of the things you just said. But people who do install them are “stupid”? No, I wouldn’t call them that.

Re:

[hduff]

I see you want to install a Windows virus. Proceed?

Re:

[clone53421]

Well, that’s not exactly what it says... and I certainly wouldn’t expect the Autoplay on a new phone to be a virus, straight out of the box. Bloated and unnecessary, yeah, which is why I probably wouldn’t install it... but not malware. I’m no dummy, but even I wouldn’t expect that.

Re:

[clone53421]

You’re misunderstanding the meaning of “default”. If prompts, messages, or warnings do come up, the default option is what is performed if I click “Ok” without selecting something different.

You can prevent the “default” autoplay in Windows XP by holding down the Shift key.

You can prevent the “default” autoplay in Vista/7 by clicking “Cancel” or choosing a different option in the prompt.

But in both cases, the default is to autoplay the device.

Re:

[Lunix Nutcase]

it was just present on the phone's flash drive waiting to try to infect any OS stupid enough to automatically run programs from untrusted devices.

Since when is my own phone an "untrusted device"?

Re:

[interkin3tic]

accidental mod correcting

Re:

[ircmaxell]

It's an untrusted device relative to the computer. The computer doesn't know where it has been (That's why newer versions of Win and all versions of Linux ask you what to do)... YOU may trust it, but a competent programmer will not. A competent programmer will not trust ANYTHING not directly in the control of the program at all times (Don't trust anything that the user could possibly tamper with)...

Re:

[clone53421]

That’s why it is a trusted device.

I trust them to build phones that are safe and to respect my privacy, and to ensure that nobody who isn’t trustworthy will get their hands on one of the phones before the customer does.

Re:Technically, not installed...

[Manax]

That's just ridiculous. Did you even read the summary? This isn't about you installing a trojan on your phone, or about how open the platform is or isn't. It's about it COMING FROM THE CARRIER that way. This could have just as easily happened to an iPhone and had a mac or PC virus on it...

Re:

[PeanutButterBreath]

How the heck do you get data on or off the damn thing??

You don't need to do that.

Re:

[am 2k]

The apps that need that kind of thing (like ebook apps) usually just open an HTTP server on the phone you can connect to from your computer over the network.

Re:

[jbeaupre]

This has nothing to do with lockdown. It came from the manufacturer this way. iPhones can connect by USB, so the same could happen if the manufacturer were not careful.

Re:

[ducomputergeek]

If you read the article, it's the SD card that's infected. Which, no, wouldn't affect an iPhone since there isn't an SD slot. Question is, where did the SD card ship from? Vodoaphone or HTC?

Re:

[bnenning]

Exactly. This isn't an argument in support of Apple locking down the iPhone app store, it's an argument for preventing Macs from using flash drives. Is that what you want?

Re:Technically, not installed...

[nicolas.kassis]

Ok... go lookup the story about iPods loaded with trojans that got through QA. http://msmvps.com/blogs/spywaresucks/archive/2006/10/19/187622.aspx [msmvps.com] This has nothing to do with android/apple and everything to do with crappy manufacturing using infected windows PC that will infect any usb connected device.

Oh?

[SmallFurryCreature]

I agree it has nothing to do with Android, but that case had most certainly something to do with Apple. They use those crappy manufacturing facilities to save a few bucks and then save even more by not doing proper QA.

And before you claim how innocent and harmless this is, consider what is happening to Toyota. Or the numerous quality issues with products from China and god knows how many more places. In order to maximize profits (because you can't claim cost savings are passed onto to the consumer with App

Re:

[nicolas.kassis]

And the vodaphone HTC magic might be as small a share of the whole market. My HTC Magic (rogers, canada) doesn't not have this issue.

Re:

[clone53421]

Isn't that a bit like drawing the erroneous distinction that because Typhoid Mary was asymptomatic she was not sick?

Um, yes, but it’s not erroneous. She wasn’t sick.

Re:

[Dog-Cow]

If you have no symptoms, you are not sick. It doesn't matter what viruses or bacteria you may be playing host to. That's exactly what vaccines are about: giving you immunity such that if you are infected with a virus it doesn't make you sick.

In short: you're completely and utterly wrong.

Easy way to stop this from happening

[grahamsaa]

I'm personally getting fed up with companies that allow this to happen. If companies that distribute devices that come pre-loaded with malware were fined heavily for each instance, they'd likely hire a few good devs and QA people to ensure that this sort of thing doesn't happen again.

There's absolutely no excuse for this. If you contract out development or manufacturing and that leads to this kind of security risk, there's still no excuse. Unfortunately as of right now there are few if any consequences associated with this type of negligence -- which means that companies aren't going to do much to improve their security practices.

Re:

[bill_mcgonigle]

If companies that distribute devices that come pre-loaded with malware were fined heavily for each instance

Nice try - we've invented class-action lawsuits to protect the corporations from this problem. And corporations, as currently constituted, make sure nobody is actually liable for anything* they do.

I mean, not 'we', but the corporations. Or, um, the government. Sorry I get so confused these days where the lines are.

* for very large values of 'anything'.

Re:

[thePowerOfGrayskull]

Of course there are consequences. There's a huge PR hit, lost sales, the expense of remediating this -- including the class-action suit that's quite likely to follow. There's also a loss of consumer and business trust. Competitors can capitalize on this very easily, compounding the cost.

This is a self-correcting situation. Government fines not required.

Re:

[grahamsaa]

There will almost certainly be no class action lawsuit. The average consumer doesn't know about these kinds of exploits, and most certainly does not care. That also means that there will be no significant PR hit. If this were self correcting behavior we wouldn't be seeing stories at least once a month about a high-profile company shipping infected hardware to customers. The reason this kind of thing keeps happening is that the consequences you mention are incredibly minimal, if there are consequences at

Re:

[thePowerOfGrayskull]

Then let competitors educate consumers. "Did you know that the HTC phone can install viruses on your computer?" As long as they stick entirely to the facts, there's nothing preventing this.

Re:

[dbcad7]

And you do not find it suspicious at all that the the person this happened to works for the anti virus company whose software found this ?... If some random person, who happened to have some random anti virus program, of which was supplied by a company he did not work for, discovered this then it would be different.. I have zero trust in the honesty of major anti virus companies, let alone some smaller company that few people have heard of till now.. Thank god he had this great new anti virus program.

Please

[oldhack]

Linux is not a malware. Such smear tactic at slashdot must stop.

Re:

[ElectricTurtle]

Apparently you think the Mariposa botnet is a... Linux distro? What are you smoking?

Re:

[OzPeter]

Apparently you think the Mariposa botnet is a... Linux distro? What are you smoking?

Probably something similar to the (now ex-) QA employees

Re:

[Dishevel]

Whoosh

You know Android has hit the big leagues

[0xdeadbeef]

When people are trying to slander it. They're blaming everyone under the sun, when the most likely vector is a store employee who simply plugged the device into a computer and copied the file to the flash drive.

Re:

[ducomputergeek]

The bigger problem is that this is HTC, who also produces the Nexus for Google proper. Even if the attack vector was an employee at the store, it gives people a moment of pause. When was the last time you saw a Blackberry, Palm, Nokia, LG, Windows Mobile, or iPhone distributed with Malware from the store? (Other than anything with vCast)

Re:

[PPalmgren]

Wish I had mod points for the vCast slam. I laughed for a good minute or two.

It *has* happened before

[DrYak]

When was the last time you saw a Blackberry, Palm, Nokia, LG, Windows Mobile, or iPhone distributed with Malware from the store?

It has happened before. And on a much bigger and worst scale.

Today's situation is only about 1 single infected phone (Did it got plugged into an infected machine at the store ? Was it deliberate by one employee ?)

On /. we already did have stories of virus pre-loaded Apple iPods [slashdot.org] and and McDonalds MP3 players [slashdot.org].
They got windows machine infected which were used a part of their standard QA/Test procedure to test the hardware before shipping it.
Thus *whole batches* of product got infected from that windows testin

Re:

[Sockatume]

It's also conspicuous that it's only the Vodafone version of the handset, which suggests the fault lies much further down the chain than HTC.

Re:

[0xdeadbeef]

It's also conspicuous that is one phone from one employee of company that is hawking its own anti-malware software.

Did they not even think of buying more phones to confirm it? Shouldn't they, you know, be helping the cops deal with it before they warn whoever put it there?

Re:

[julesh]

Yes, but it says phones. No way the headline and summary would be referring to just one phone like that. No way at all.

One article clearly is talking about only one phone. The other is quite obviously getting its info from the other, and the expansion from "phone" to "phones" is not justified. I.e. somebody read too much into the first article and is assuming that this is not an isolated occurrence.

Now, admittedly, for the phone that an employee of an antivirus company purchases to be the only one unlucky

Re:

[tholomyes]

Parent forgot their <sarcasm> tags.

Now THAT's Multitasking!

[WrongSizeGlass]

Enough said.

Queue the parade of iPhone drummers.

BTW, I wonder if this is one of the patents Apple is suing over

Re:Now THAT's Multitasking!

[genghisjahn]

Unfortunately, as an iPhone user, if I want to get malware my only option is to get it through the app store.

Re:

[fm6]

And even then, the malware has to be G-rated, since Apple really cares about you.

Re:

[_Sprocket_]

On the plus side, you can talk on the phone while your malware is busy updating to it's CC server. Unfortunately, you have to choose between the malware and playing Monopoly, though.

Re:

[PitaBred]

"Cue". As in, signal to start. "Queue" is an in-order line of some sort, like the queue for an amusement park ride.

Re:

[cbiltcliffe]

....like the queue for an amusement park ride.

Or the queue of iPhone drummers..... :)

When, where, how...

[clone53421]

Since this appears to be a lone incident, it’s obvious that it didn’t come “straight” from the manufacturer, and it might not even be their fault.

Then again... if a lot more of these infected phones start turning up, there probably is an infected computer somewhere at the manufacturer and the phones are being plugged into it in the process of setting them up.

First order of importance, of course, is to send somebody to the end of the assembly line and start checking random phones righ

Sue the company

[WindBourne]

You know, I find it amazing. China continues to load this spy bots on goods destined for the west. Yet, SO many westerners continue to buy it. Here is a thought. QUIT BUYING IT, or SUE THEM. If you start suing the company for infecting your window systems, then companies will quit producing in China OR they will start caring about SECURITY.

Re:

[clone53421]

You can’t sue a Chinese company, so I assume you mean the US company that imported the stuff? You’d have to show them to be grossly negligent, I think, and simply importing goods from China isn’t grossly negligent until this sort of thing is much more widespread. If you know that imported goods from China are probably loaded with spyware, then yeah, importing them and then distributing them without checking them would be negligent, but we’re not there yet.

Re:

[Khyber]

"You can’t sue a Chinese company, so I assume you mean the US company that imported the stuff? "

You don't do much international business, do you? Yes you can sue a foreign company.

*goes back to dealing with China on an RMA*

Re:

[clone53421]

Good luck making them pay you.

Re:

[WindBourne]

Yes, HTC is Taiwanese, BUT, I saw elsewhere that the phones was made in Mainland China.

Patented!

[chill]

So, is THIS what Apple was suing HTC over at the International Trade Commission? Does Apple have a patent on preloaded malware on smartphones?

Re:

[genner]

So, is THIS what Apple was suing HTC over at the International Trade Commission? Does Apple have a patent on preloaded malware on smartphones?

If they do I'm sure Microsoft can claim prior art.

Re:

[kimvette]

No, it does not come preloaded, but there's an app for that.

Aha, it's an ad for Panda software

[noidentity]

Following the linked article, and following that to the original post, we find that first off, it's a single phone, not more than one that had this malware, and we are informed of the software that detected this, coincidentally the commercial product the researchers are working on:

The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious

I'm rushing out today to buy this software that can do such feats as detecting this malware. They have a Linux version, right?

Re:

[adolf]

They have a Linux version, right?

Yes [pandasoftware.com].

C'mon slashdot. 1 phone, uncorroborated

[beakerMeep]

Dont go the way of kdawson, soulskill.

Next we'll be reading stuff like "My best friend's sister's boyfriend's brother's girlfriend heard from this guy who knows this kid who's going with the girl who saw Ferris pass out at 31 Flavors last night. I guess it's pretty serious. He might have Mariposa, or Confiker or something. Better get Ferris some AntiVirus software from PandaAV"

Re:

[_Sprocket_]

I'm always torn on these sorts of things. I agree with the idea of adding a grain of salt to these sorts of things. But at the same time, it gives us all a chance to weigh in and/or be exposed to stories that might make the rounds through other channels (I know, I know, "Other-news-aggregation-site had it first"). And while I sometimes tire of the noise, I also tend to find it more useful to be forearmed when said noise makes it in to some meeting or discussion and I don't feel broadsided by it.

Re:

[peragrin]

Nothing however when you plug it into your windows box that computer will be infected.

Sexond if that kind of virus can slip through what other virii will make it on to the phone?

And to join the parade of apple fans. Isn't thatwhy mounting the phoneas a drive is dangerous?

Re:

[Arthur Grumbine]

I also bought a HTC Magic from them and feel like suing them right now.

Dear Sir,

We applaud your noble sentiments, and encourage any and all litigation for any offenses, real or imagined. We assure you that, with the proper degree of zeal, any country, can be transformed into an environment that encourages the unbridled growth of our industry.

Sincerely,

Every Lawyer Not In The Beautifully-Litigious United States