An employee of another Spanish security vendor found the same malware pre-installed on the same model phone this week bought directly from Vodafone. The same Mariposa malware was found on the phone bought by the S21sec employee, in precisely the same location on the microSD memory card, which is supplied by the mobile carrier, in this case, Vodaafone. The incident is not an isolated incident after all, as the concerned party had claimed last week. In a statement, the company said they still believe the incidents to be limited to Spain.
Source: https://threatpost.com/mariposa-bot-found-pre-loaded-second-vodafone-handset-031810/73707/