As reported by Infosecurity earlier this month, Panda Security's research division – PandaLabs – said that one of its staffers had purchased an HTC smartphone and, after connecting the phone to a desktop PC, was surprised to see an alert for a Mariposa botnet infection popping up.
At the time, Vodafone said it was likely to be an isolated incident, but, since then, other reports of infections have surfaced in Spain and nearby countries.
PandaLabs says that it has investigated a second HTC Magic smartphone and found it to be infected in the same way as the first one.
According to the Spanish-headquartered IT security firm, an employee at another IT security company, S21Sec, checked his recently acquired HTC Magic and found the Mariposa malware.
"This guy had also purchased an HTC Magic direct from Vodafone's official website the same week as my co-worker", said Pedro Bustamante of PandaLabs in his security blog.
"He hadn't connected the phone to his PC yet, but as soon as he saw the news hurried back home, plugged it in via USB, and scanned its memory card with both MalwareBytes and AVG Free. Lo and behold, Mariposa emerged again, exactly in the same way as in our original finding."
PandaLabs then connected the S21Sec employee's microSD card to its research computers and found that the smartphone was loaded with the malware on March 1, around a week before he had received the phone from Vodafone.
"This Mariposa botnet client is also loaded in the same hidden NADFOLDER directory. It is also named as AUTORUN.EXE and will automatically run when connected into a Windows machine unless you have autorun disabled", said the PandaLabs blog.
Vodafone has apparently retracted its earlier claim that the first incident was an isolated one, and said that an investigation has revealed a batch of around 3,000 memory cards were infected.
In a press statement, the cellular company said: "Vodafone takes security of its customers very seriously and there is an ongoing investigation into the issue."
"After an extensive quality assurance testing on HTC Magic handsets in several of our operating companies, indications are that this is a local incident in Spain. Vodafone keeps all of its security processes under constant review as new threats arise and we will take all appropriate actions to safeguard our customers' privacy."