Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 29, 2026 · 8 min read

Budget Android Phones Ship With Malware Preinstalled

The EFF is calling on Amazon and Walmart to pull compromised devices. The malware arrives before first boot — and can intercept your email credentials and 2FA codes.

A budget Android phone under the tree, in a back to school backpack, or sitting in a carrier store display might be running criminal software before anyone touches the power button. On June 25, 2026, EFF researcher Alexis Hancock published a detailed call to action demanding Amazon and Walmart stop selling Android devices that arrive preloaded with malware. The malware in question is not a theoretical risk — it belongs to the BADBOX campaign, a documented supply chain operation that cybercriminals embed into device firmware between the factory floor and the retailer shelf.

BADBOX has infected over 10 million uncertified Android devices globally. Google filed a federal lawsuit in July 2025 against 25 Chinese entities it alleged were operating the botnet. Neither the lawsuit nor the FBI public service announcement that followed it removed compromised devices from sale. As of the EFF's June 2026 report, they remain available on two of the largest retail platforms in the United States.

Key Takeaways

  • EFF researcher Alexis Hancock, writing on June 25, 2026, documented budget Android devices sold on Amazon and Walmart that arrive with the BADBOX malware preinstalled in their firmware.
  • BADBOX 2.0, first disclosed by HUMAN Security in March 2025, has infected over 10 million uncertified Android Open Source Project devices across 222 countries — including 18.2% located in the United States. Source: HUMAN Security Satori Report
  • The malware can steal email login credentials, intercept two factor authentication codes, and silently enlist devices as residential proxy nodes for criminal operations.
  • Google sued 25 Chinese entities over BADBOX 2.0 in July 2025 in the Southern District of New York, yet infected devices remained on sale through major US retailers as of the EFF's June 2026 report.
  • Devices built on Android Open Source Project firmware — sold without Google Play certification — have no built in protection against firmware level backdoors.

What Is BADBOX?

BADBOX is a supply chain compromise targeting cheap Android devices built on Android Open Source Project (AOSP) firmware — the version of Android that manufacturers can use without Google's certification requirements. Because these devices never undergo Google's security review, attackers embed a Triada trojan variant directly into the firmware image during production or at some point in the distribution chain before the box reaches a retailer. The device passes any basic startup check. Nothing looks wrong. The backdoor is already running.

BADBOX 2.0, disclosed by HUMAN Security in March 2025, represented a significant escalation from the original campaign. Where the first BADBOX infected roughly 74,000 devices, version 2.0 grew to over one million confirmed devices within weeks of discovery. By July 2025, Google's legal filing described the total affected population as exceeding 10 million devices. The botnet spans 222 countries, with 18.2% of compromised devices located in the United States — roughly 1.8 million American homes.

The device categories documented include Android TV boxes, streaming sticks, digital picture frames, tablets, and mobile phones — all sold under generic or unfamiliar brand names, most priced to attract buyers who cannot afford premium hardware. That pricing is not coincidental. The EFF's Hancock makes the structural argument plainly: when a device sells for far below its manufacturing cost, someone else is paying for it. In the BADBOX model, that payment comes from selling access to the buyer's network, data, and device resources.

What Does the Malware Actually Do?

BADBOX malware operates through command and control servers that issue instructions to infected devices over encrypted channels. The capabilities documented by HUMAN Security and the FBI cover several distinct categories of harm.

A budget Android smartphone in retail packaging next to a warning symbol, representing preloaded malware in consumer devices

Credential theft and account takeover. BADBOX 2.0 steals login details from the device, including saved passwords, session tokens, and — critically — two factor authentication codes. Attackers use these to take over accounts across email platforms, banking apps, and social media. A phone that asks you to log into Gmail on first setup and already has a credential harvester in its firmware is capturing that login as you type it.

Residential proxy abuse. The botnet converts infected devices into proxy nodes, routing third party internet traffic through the device's home IP address. Criminal operations use residential IPs to run credential stuffing attacks against banking and retail platforms, because requests from a home address bypass most IP reputation filters. Ad fraud operations use the same traffic to simulate legitimate human ad views — a market that generates direct revenue for the botnet operators.

Silent app installation and fake account creation. The malware can install additional APKs without user interaction and create fraudulent accounts across platforms. In January 2026, a BADBOX connected botnet — KIMWOLF — launched the largest distributed denial of service attack ever recorded at the time: 31 terabytes per second from 2 million devices. The same infrastructure that steals credentials is also available for hire as a cyberweapon.

The malware hides from the app drawer. It does not appear in installed apps lists. It does not show a notification. It runs invisibly, communicating with command and control servers on a schedule its operators control remotely.

Why Are Retailers Still Selling These Devices?

The EFF's Hancock argues that Amazon and Walmart already possess the detection and enforcement infrastructure to address this problem. Both platforms deploy sophisticated fraud detection systems to protect their own revenue — they identify fake reviews, fraudulent sellers, and counterfeit goods at scale. Applying comparable scrutiny to device firmware is not technically impossible. It is a policy choice.

The EFF's recommendations are directed at retailers specifically: implement systematic firmware vetting for Android devices sold through their platforms, require suppliers to demonstrate that devices carry Google Play Protect certification or an equivalent verified security standard, and pull products from sale once a supply chain compromise is confirmed. The letter draws a direct comparison to how these same retailers respond to other known dangerous products — they remove them. Electronics with documented backdoors, the EFF argues, should receive the same treatment.

The gap between Google's July 2025 lawsuit and the EFF's June 2026 report is twelve months. In that period, BADBOX 2.0 compromised millions of additional devices, a related botnet set a DDoS record, and the FBI issued a public warning. Compromised hardware remained available for purchase. That gap is the policy problem the EFF is trying to close — and it is not unique to Android. The Popa botnet infected 2.5 million smart TV boxes through the same dynamic: cheap connected hardware, no firmware transparency, and retailers that had no mechanism to flag compromised products before they reached consumers.

What This Means for Your Email and Inbox

A phone with BADBOX firmware is not a safe place to check email. The credential theft component targets login events — the moment you authenticate to Gmail, Outlook, Yahoo Mail, or any other provider is precisely when the malware has the most valuable data to intercept. Saved passwords, session cookies, and OAuth tokens stored on the device are accessible to any module the command and control server deploys. So are the two factor authentication codes your email provider sends to the device as a second layer of protection.

This matters beyond the individual account. Email is the recovery mechanism for almost every other online account you have. A compromised email account means an attacker can reset your banking password, your cloud storage, your work accounts, and every other service that sends password reset links to your inbox. A budget phone that arrived with BADBOX firmware is not a minor privacy inconvenience — it is a persistent, invisible threat sitting at the center of your digital identity. Android's existing zero-day vulnerabilities compound the risk: a device that ships with firmware malware and never receives security patches is exposed on two fronts simultaneously.

The firmware level nature of the infection is what makes this threat category different from a malicious app download. You cannot uninstall BADBOX. A factory reset does not remove it. The malware is part of the operating system the device shipped with, and the only clean path for most consumers is to stop using the device entirely.

How to Reduce Your Risk

The most effective protection happens before purchase. BADBOX has overwhelmingly targeted AOSP devices — hardware that lacks Google Play Protect certification. Google maintains a list of certified Android devices at android.com/certified. If a device is not on that list, it has not passed Google's security review, and it is in the high risk category for firmware supply chain compromise.

  • Check for Play Protect certification before buying. Devices advertised as offering free streaming content, running generic brand names, or priced significantly below comparable certified hardware are the primary targets documented in BADBOX research.
  • Watch for unusual data and battery use. BADBOX operates continuously, communicating with command and control servers. Unexplained background data consumption or battery drain on a new device is worth investigating.
  • Do not use unknown brand Android devices for sensitive logins. If you own a device that may be compromised, treat it as untrusted hardware. Do not log into email, banking, or any account where a credential theft would cause serious harm.
  • Use unique passwords and hardware security keys where possible. A hardware security key (FIDO2) cannot be intercepted by malware the way a software 2FA code can, because authentication requires physical interaction with the key.
  • If you own a potentially affected device, consider replacement. There is no reliable consumer tool to detect or remove firmware level malware on AOSP devices. The EFF's own guidance points toward hardware replacement as the realistic remediation path.

The EFF's broader ask — that retailers enforce firmware vetting as a condition of sale — is the only intervention that addresses the problem at scale. Individual consumer vigilance matters, but the 10 million devices already compromised by BADBOX 2.0 demonstrate that expecting buyers to audit firmware before purchase is not a workable defense. The problem was introduced before the box was sealed. Fixing it requires accountability at the point of sale.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.