The device is compromised before you open the box. On June 25, 2026, EFF said again what security researchers have been documenting for years. Amazon and Walmart still list cheap Android TV boxes, streaming sticks, digital picture frames, and children's tablets that ship with malware already built into the firmware. You do not download it. You do not click anything. It arrives with the hardware.
The malware has a name. BADBOX. Google confirmed that roughly 10 million uncertified devices running the Android Open Source Project were infected by the original campaign. The malicious apps hide with no visible icon, so nothing on the home screen tells you the device is working against you. Once the box connects to your network, it joins a botnet and routes other people's criminal traffic through your home internet connection. Your IP address becomes the cover for someone else's fraud.
The compromise is built in during manufacturing. The buyer never does anything to cause it. The code is loaded into the system image during production, which is why a factory reset does nothing and there is no app to uninstall. The buyer never had a clean device to protect. By the time the box is sealed and listed for sale, the compromise is already part of the product. Researchers at Human Security and its Satori Threat Intelligence team traced how the infrastructure works, and Google has taken legal action against the operators behind BADBOX. The devices keep coming anyway.
None of this is happening in some grey-market corner. These products sell through the largest retailers in the country, with star ratings, customer reviews, and fast shipping. The FBI warned consumers about infected streaming devices in June 2025. In January 2026, researchers reported BADBOX 2.0 and a separate botnet called KimWolf still spreading through the same channels. Private task forces disrupt the command and control servers, the listings get pulled one at a time, and new sellers flood the same marketplaces with fresh stock. The takedown model treats each device as an isolated bad apple instead of a supply chain that keeps producing them.
You lose control over your own network. A children's tablet that runs ads in the background while it carries botnet traffic is an uninvited node sitting inside your home, talking to servers you cannot see, on behalf of people you will never identify. You bought a screen for your kid and handed an attacker a foothold behind your router. The device itself is the source of the exposure.
EFF is right to push the responsibility onto the retailers. Amazon and Walmart have the scale, the data, and the anti-fraud machinery to screen for this, and they spend that effort protecting their own payment systems. They have chosen not to spend it on what they ship into customers' homes. EFF wants systemic malware screening, visible warnings when compromised products are removed, and real engagement with firmware transparency so buyers can tell a clean device from a hostile one. A platform that can detect a fake review in seconds can afford to check whether the hardware it sells is already infected.
You cannot configure your way out of a device that arrived hostile. Every internet-connected box you plug in is a trust decision, and the cheapest options on the biggest marketplaces are the ones most likely to betray that trust on day one. Buy fewer connected devices. Favor hardware from manufacturers who can be held accountable for what runs underneath. Treat an unknown Android box the way you would treat a stranger's USB stick, because functionally that is what a pre-infected device is.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is BADBOX
BADBOX is malware pre-installed on cheap Android devices during manufacturing. Google confirmed it infected around 10 million uncertified devices, turning them into botnet nodes that route criminal traffic through the owner's home network.
Can a factory reset remove this malware
No. The code is built into the device firmware, so it survives a factory reset and there is no app to uninstall. The device is compromised before the buyer ever turns it on.
Which devices are affected
Reports cover cheap Android TV boxes, streaming sticks, digital picture frames, and children's tablets sold through major retailers including Amazon and Walmart.
How do I avoid buying a compromised device
Avoid the cheapest uncertified Android boxes from unknown brands, buy hardware from manufacturers who can be held accountable, and reduce the number of internet-connected devices you plug into your home network.
Why are these still on sale
Retailers remove individual listings when devices are reported, but new sellers keep restocking. There is no systemic screening at the point of sale, so the same compromised hardware returns under different listings.