Samsung Wave smartphone ships with malware

A number of Samsung's new Wave handsets have shipped with malicious code on a memory card included with the device, the manufacturer has confirmed.

Wave, which became available in the UK on Tuesday, runs on the Samsung-developed Bada platform. Some of the shipped S8500 smartphones include a microSD card with software allowing the unit to synchronise with Windows.

A number of those microSD cards included a malicious file called slmvsrv.exe which launches automatically when the device is connected to Windows, if the operating system's autorun feature is enabled, according to security researchers. A PC infected with the malware will try to copy the program and its associated autorun.inf file on to any removable storage device inserted into the infected computer, they said.

Sean Sullivan, a security advisor with security firm F-Secure, said the company has confirmed that the file has infected some users' systems. "We have telemetry indicating this is in the wild (but quite limited)," Sullivan wrote in a blog post on Wednesday.

Samsung said the problem was limited to some microSD cards sold with Wave phones in Germany. The problem has now been resolved, and the products available to the market are now safe to use, it added.

The company stated that the version of Wave available in the UK was not affected. Moreover, Vodafone clarified in a statement that the Wave handset it sells in the UK does not include a microSD card.

Experts have warned that the rise in threats to mobile hardware is real and growing, as cybercriminals turn their attention to new outlets for their malware. Other consumer products to have been infected by malware at the manufacturing stage include TomTom satellite navigation devices and video iPods.