Primed for Malware: Stop Selling Compromised Android Devices

Researchers have repeatedly found Android devices pre-loaded with malware sold on Amazon and other major online retailers, with one campaign affecting 10 million devices. The Electronic Frontier Foundation calls on Amazon to systematically prevent these compromised devices from entering homes and networks, noting that the problem persists despite individual takedowns.

Time https://www.eff.org/deeplinks/2023/05/android-tv-boxes-sold-amazon-come-pre-loaded-malware and time https://www.eff.org/deeplinks/2023/11/low-budget-should-not-mean-high-risk-kids-tablet-came-preloaded-sketchyware again, researchers have found numerous compromised Android devices https://github.com/DesktopECHO/T95-H616-Malware/tree/main for sale at large online retailers like Amazon. When these devices get individually reported, we have seen some noted https://techcrunch.com/2023/11/16/childrens-tablet-has-malware-and-exposes-kids-data-researcher-finds/ efforts to take them down. But this is a systemic problem and Amazon and other major online retailers must make a corresponding systemic and intentional effort to stop these devices from entering people’s homes and ultimately their networks. As a refresher: Last year, Google wrote https://blog.google/innovation-and-ai/technology/safety-security/google-taking-legal-action-against-the-badbox-20-botnet/ that one major campaign, deemed BADBOX https://www.humansecurity.com/company/satori-threat-intelligence/badbox/ , affected 10 million uncertified devices that were running Android’s open-source software Android Open Source Project or AOSP . These devices span from TVs and streaming devices to digital picture frames. Even now http://www.wsj.com/video/series/in-depth-features/how-millions-of-digital-home-devices-are-secretly-powering-cyberattacks/F411AC06-C2A2-4F0E-8617-93A1CA95B340 , someone can go on Amazon and Walmart and buy one of these devices. Not all of them come from Amazon and Walmart, but it’s fair to assume since they have the lion’s share of the market https://www.forbes.com/sites/mariagraciasantillanalinares/2025/06/12/the-worlds-largest-retailers-2025-amazon-tops-list-of-global-retailers-ahead-of-tariff-impact/ . Most well-known Android-based devices don’t come with just “stock Android.” The operating system is usually Android plus additional features that the manufacturer wanted. These custom versions of Android often come with pre-installed applications that range from useful to innocuous bloatware to actual malware. Many Android OEMs original equipment manufacturers pre-install apps that may not be visibly represented by an icon in your list of installed apps. This obscurity makes the issue particularly hard for users to identify any potential threats. Since the initial BADBOX analysis, there have been more https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/ reports https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/ of large campaigns and clusters of different devices https://darknetdiaries.com/episode/172/ participating in malicious activities that utilize people’s home networks to engage in illegal activity. Task forces in the private sector have made an effort https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network to take down these existing Command and Control https://ssd.eff.org/glossary/command-and-control-server structures, but these actors may pivot and evolve https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/ to flood the market with more devices. Online retailers can stop this cycle. A multi-billion dollar company like Amazon should offer more resources, like their anti-fraud efforts https://trustworthyshopping.aboutamazon.com/2025-trustworthy-shopping-experience-report holding-bad-actors-accountable , given that these products may have facilitated conditions for large scale attacks and illegal activity. It would also be helpful if they communicated malware-related take downs in a more visible way to consumers who are seeking very similar devices with shared characteristics. Identifying these devices can be tricky, but it’s not impossible because they tend to follow a pattern. For example, the FBI warned consumers this year https://www.fbi.gov/investigate/cyber/alerts/2026/evading-residential-proxy-networks-protecting-your-devices-from-becoming-a-tool-for-criminals to avoid TV streaming devices that claim to provide free sports, tv shows, and movies, a common tactic used by the makers of these malware-filled Android devices that leverages people’s exhaustion from spending money on countless streaming services. We detailed what sorts of indicators https://www.eff.org/deeplinks/2025/06/fbi-warning-iot-devices-how-tell-if-you-are-impacted to look for on a device you’ve purchased. But it’s not just the storefronts. There are other parts of this ecosystem that need to improve too, like increased engagement in firmware transparency https://blog.google/security/bringing-binary-transparency-to-the-android-ecosystem/ and the actual manufacturers of the devices themselves being held accountable for these malware laced products. On Prime Day, we urge retailers like Amazon to better empower users with information they need to make safe and smart decisions.