

HTC Android Phones Found with Malware Pre-Installed - sev
http://threatpost.com/en_us/blogs/htc-phones-pre-installed-mariposa-bot-client-030910

======
chaosmachine
From the comments:

 _"Sounds like bollocks to me. 1 phone out of the 1000s sold? Prob a refurb or
some spotty oik in the shop using it before selling it, otherwise this would
definitely have been spotted earlier."_

That sounds about right to me.

------
barbolani
Please stop the FUD. Merely plugging the phone to the PC CANNOT START ANY KIND
OF VIRUS SPREAD UNLESS YOU STILL HAVE THE AUTORUN FEATURE ENABLED. Repeat with
me, many many times. Please do.

There is one thing to hear this from an ordinary user. They can also say such
things as "it low level reformats the disk" without knowing what a low level
format is, or knowing that low level formats are not possible since a long
long time. They can also say that they steal your satellite dish card codes,
whatever they are.

All of those statements are false and the product of a kind of medieval fear.
It's ok to hear that from users. It's not ok to hear that from seasoned
professionals. Please.

In the same vein: please, copying infected files DOES NOT INFECT THE COMPUTER
THAT DOES THE COPY.

Enough is enough. Virus is an industry that builds on malice (from virus
writers) but also fear and plain ingnorance (from antivirus writers).

~~~
ajross
Sure.

Or, y'know, if there's some vulnerability in other code that runs
automatically when devices are inserted or browsed that we don't know about.
There's a ton of that stuff: think desktop integration, thumbnail generation,
file indexing, ...

Repeat with me: the proper, mature response to an incompletely-described
vulnerability profile is not to scream at the top of your lungs denying any
such vulnerability is possible.

Consumer computer systems long ago became so complicated that even smart
technical people like you can't possibly understand how they work at all
levels. Security analysis, however, is a field that can _only_ be practiced
via careful analysis of all levels. Don't fool yourself into thinking you have
a complete understanding of your computer. That's _precicely_ how security
bugs happen.

------
Que
It sounds like they are taking the case from single phone and trying to create
a pandemic.. I didn't notice anywhere in the article where they cared to test
more than one phone or do any random sampling. Way to blow things out of
proportion.

------
ekpyrotic
Edited.

