Traces of the now defunct Mariposa botnet has been found on another HTC Magic from Vodafone in Spain, security company Panda wrote in a blog post on Wednesday.
The malware was once again found on the SD card that shipped with the Android-based smartphone.
At the time of the original report, on March 8, a Vodafone spokesman said "it appears to be an isolated incident", and Panda's senior research adviser Pedro Bustamante thought it was an issue with a specific refurbished phone.
However, a second occurrence is too much of a coincidence, and shows it could be a bigger problem with quality assurance or a specific batch of phones, according to Bustamante. Panda also found a copy of the Win32/AutoRun worm on the phone's memory card, he said.
An employee at Spanish security company S21sec found second infection and sent the card to Panda. The phone was purchased directly from Vodafone's Web site in the same week as the first phone, Bustamante wrote.
Vodafone's investigation into the first report is still ongoing, a Vodafone spokesman said. He also reiterated that Vodafone takes this extremely seriously, and will make any changes that are deemed necessary.
The original blog post caused quite a bit of stir, and reactions "ranged from applause for uncovering this to accusing us of making it up," according to Bustamante.
The incident also proved to be a boost for Israeli security company DroidSecurity. Its mobile device security software was downloaded by 10,500 new users within 24 hours of the first report, the company said on Wednesday.