Security researchers report that malware has been discovered on a Vodafone HTC Magic smartphone running Google's Android operating system.
The discover comes just days after battery producer Energizer acknowledged that the Windows software it had been distributing for its Duo USB charger was infected with a Trojan.
"Here is yet another example of a company distributing malware to its userbase. Unfortunately it probably won't be the last," said Panda Security researcher Pedro Bustamante in a blog post.
Bustamante said that when a colleague connected a brand new Vodafone HTC Magic to her PC, anti-virus software detected both an autorun.inf and autorun.exe as malicious.
"A quick look into the phone quickly revealed it was infected and spreading the infection to any and all PCs that the phone would be plugged into," he said.
Analysis of the malware revealed that it was a Mariposa bot client.
"Once infected you can see the malware 'phoning home' to receive further instructions, probably to steal all of the user's credentials and send them to the malware writer," said Bustamante.
"There's also a Confiker and a Lineage password stealing malware. I wonder who's doing QA at Vodafone and HTC these days," he said.
According to Bustamante, the malware is on the phone's memory card and not the Android's file system.
This means the malware could have been loaded by a malicious employee or the phone could be a returned and refurbished unit not properly checked for malware before being re-issued.
"Either way Vodafone needs to better quality assure these before shipping out to customers," he said.
Panda Security plans to acquire more HTC Magic phones to see if the infection is isolated or more widespread.