A quick analysis of the malware reveals that it is in fact a Mariposa bot client.

Every android phone *can* be plugged into any PC or Mac via USB. Under windows it works just like any other insert digital medium (CD, DVD, Flash Drive). Upon being plugged in, it opens the folder and executes the file specified in autorun.ini. This would be the vector a bot herder/malware researcher would use to launch it’s “spread” and stay infected. As long as nobody notices the files on the phones, users would just keep getting re-infected every time they plug in their phone to download their photos. One speculation that may be responsible is: “the SD card” since all that someone would need to do is put “files” in the root of the SD card for them to execute. So the question might be instead be: “How would someone slip a file onto a flash card before it’s inserted into a phone?”.

Interestingly enough, the Mariposa bot is not the only malware I found on the Vodafone HTC Magic phone. There’s also a Confiker and a Lineage password stealing malware.

Why did it take so long for a person to notice malware on the phone? The HTC Magic is one of the most popular smart-phones in the UK. In the US, T-mobile branded this product as the “myTouch 3G“, and that phone has a massive pop. Where is the supporting evidence on the phone? The only “proof” we have so far is a few windows screen shots. I’m intrigued by this and it will be interesting to see what comes to light. I’ll keep you updated when I hear more.