Vodafone HTC Magic shipped with Conficker, Mariposa malware

Just when you thought you have taken care of all the possible malware infection vectors, flawed quality assurance procedures once again demonstrate the need for a transparent and systematic approach of ensuring that digital devices are shipped malware-free.

In a new blog post, researchers from PandaSecurity are reporting on Conficker, Mariposa and Lineage password stealing malware samples, shipped with a recently purchased Vodafone HTC Magic smartphone.

More details:

• Today one of our colleagues received a brand new Vodafone HTC Magic with Google’s Android OS. The interesting thing is that when she plugged the phone to her PC via USB her Panda Cloud Antivirus went off, detecting both an autorun.inf and autorun.exe as malicious. A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into. Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware.

This is not an isolated incident, but an emerging trend. Over the past several years, a multitude of different devices have been shipped with malware that made its way through flawed quality assurance procedures.

Here's a brief retrospective of reported cases where digital devices were shipped with malicious software:

• 2006 - Small Number of Video iPods Shipped With Windows Virus
• 2006 - McDonalds' free Trojan: "Would you like malware with that?"
• 2007 - TomTom ships malware on sat-nav
• 2007 - Seagate ships virus-infected hard drives
• 2008 - HP ships USB sticks with malware
• 2008 - Best Buy issues security warning on Insignia digital picture frames
• 2008 - Asus ships Eee Box PCs with malware
• 2008 - Samsung Digital Photo Frame shipped with malware
• 2008 - Malware found in Lenovo software package
• 2008 - Telstra distributes malware-infected USB drives at AusCERT
• 2009 - Malware Found On Brand-New Windows Netbook (M&A Companion Touch)

The Vodafone HTC Magic incident is the second for March, 2010, following the recently reported malware infected Energizer DUO USB battery charger.