HTC Magic ships to Vodafone with trojan bot
updated 03:50 pm EST, Wed March 10, 2010
Vodafone Spain sells HTC Magic with trojan, more
Vodafone Spain was recently found to have accidentally shipped HTC Magic handsets infected with a trojan virus called Mariposa. Other malware was also found on the handsets, and the harmful software tried to gain access to a user's computer when the phones synced with it. Vodafone has publicly stated that the problem was an isolated one in the local Spanish market, and was found out because an HTC Magic buyer happened to work for a Spanish anti-virus company, Panda Security.
Panda Security researcher Pedro Bustamante said the malware contacts its "home base" for further instructions. Also found on the handset in question was Confiker and a Lineage password-stealing code, says Panda. No other HTC Magic handsets from Vodafone were found to be infected with this malware.
The Magic is no longer offered by Vodafone, although for reasons unrelated to the spyware infection. [via RegHardware]
Fresh-Faced Recruit
Joined: Apr 2001
What happened?
HTC better figure out what went wrong and fast:
Does the phone come with Android embedded in the ROM, or is the Android OS installed on the phone much the same way Windows is installed on a PC?
If Android is embedded in the ROM, is the malware also in the ROM, or was it loaded up after Android was installed?
Where in HTC's manufacturing practice could an external malware be placed inside production?
Is HTC sure this is local problem? This was only discovered because a security expert in Spain bought a phone. Why would this be an issue only in Spain? Is special software only for a particular country added to the phone after production and the malware was added there, or is this more than just a local issue.
This shows a weakness with the Android OS. Apple controls everything on the iPhone and the OS is in the ROM. Windows is installed in PCs built by various manufacturers, but the master disks are a Microsoft product, and Microsoft certifies each Windows vendor. Both the iPhone and Windows had a single party responsible for the product.
If malware shows up on the iPhone, the blame would lay squarely with Apple. If a Windows machine out of the box had malware on it, Microsoft would immediately move to find out what went wrong: Was the software in Windows' base OS, or was it in the software installed by the manufacturer. And, if it was by the manufacturer, why didn't the certification process find the issue.
The problem with Android is that there is no certification process. Anyone can create an Android handset by simply using the source code. Cellphone manufacturers make their own modifications in the Android OS. There is no certification process put out by Google or the Open Handset Alliance.