EFF to Amazon: Stop Selling BADBOX Malware on Prime Day

EFF called on Amazon and Walmart on June 25 to stop selling BADBOX-compromised Android devices ahead of Prime Day. Google reports 10 million uncertified AOSP devices were hit. The FBI is warning consumers about "free TV" boxes.

A generic Android TV streaming device remote and box on a living-room TV stand

TL;DR: EFF's Alexis Hancock published "Primed for Malware: Stop Selling Compromised Android Devices" on June 25, 2026, a public call on Amazon and Walmart to stop selling BADBOX-laced Android gear ahead of Prime Day. The number on the table is from Google: BADBOX already compromised 10 million uncertified devices running Android Open Source Project (AOSP), the open-source build that ships on off-brand TVs, streaming boxes, and digital picture frames. EFF's framing is that the storefronts, not just the manufacturers, are the lever. The FBI weighed in earlier this year with its own consumer advisory on "free TV" streaming devices. And Google Cloud's January 28, 2026 takedown of the IPIDEA residential proxy ring tied the BADBOX 2.0 and Kimwolf botnets to the same operational cluster behind 13 proxy/VPN brands [1][2][3].

What EFF Is Asking For

EFF's June 25 post is short, and it is meant to land on a deadline. Hancock's ask is direct: "Amazon and other major online retailers must make a corresponding systemic and intentional effort to stop these devices from entering people's homes and ultimately their networks" [1].

EFF is targeting two retailers in particular, Amazon and Walmart, on the logic that they sit on what the post calls "the lion's share of the market." That figure traces back to Forbes's June 2025 global retailer ranking, which EFF links to in the article [1]. The argument is that if the two largest storefronts treat BADBOX gear like a category to be policed, the rest of the retail pipeline follows. Hancock is explicit on what the call is NOT: it is not asking only for individual take-downs of known-bad listings. "Task forces in the private sector have made an effort to take down these existing Command and Control structures, but these actors may pivot and evolve to flood the market with more devices" [1].

That "pivot and evolve" line is the heart of the EFF post. The bad actors do not need to defeat Amazon's brand-registry integrity checks one model at a time. They run a refresh cycle, the same way legitimate Chinese ODMs run a refresh cycle, and the listings come back under new ASINs.

Where the 10 Million Number Comes From

The "10 million" figure that anchors EFF's call traces back to Google. "Google wrote that one major campaign, deemed BADBOX, affected 10 million uncertified devices that were running Android's open-source software (Android Open Source Project or AOSP)," Hancock writes [1].

These are not Samsung TVs or Roku boxes. They are off-brand AOSP set-top units, streaming dongles, and digital photo frames that do not go through Google's compatibility testing and do not carry Google Play Services. The "uncertified" label is the load-bearing word: there is no Play Protect, no safety-net attestation, no built-in malware scan. Whatever the device ships with is what it runs, and the user has no way to tell the difference from the outside [1].

The post is also clear that 10 million is the floor, not the ceiling. "Since the initial BADBOX analysis, there have been more reports of large campaigns and clusters of different devices participating in malicious activities that utilize people's home networks to engage in illegal activity" [1]. The follow-on clusters are Kimwolf and BADBOX 2.0, both covered in KrebsOnSecurity's January 2026 reporting and in Google Cloud Threat Intelligence's January 28, 2026 IPIDEA write-up.

What the Malware Actually Does

Two functions, both of which put the affected home network inside someone else's attack surface.

First, the malware turns the device into a residential proxy node. According to Google Cloud Threat Intelligence's January 28, 2026 write-up of the IPIDEA takedown, the cluster ran roughly 7,400 Tier Two proxy relay nodes at the time of writing, with daily fluctuation. Those nodes were being consumed by "over 550 individual threat groups" observed in a single seven-day period in January 2026, attributed by Google to threat actors in China, North Korea, Iran, and Russia [3]. The threat groups were using the proxy pool to route traffic through real residential IP addresses, which is how they get past fraud-detection heuristics that block datacenter ranges.

Second, the malware is hidden in plain sight. EFF cites the same pattern Google Cloud identified: many AOSP builds ship with pre-installed apps "that may not be visibly represented by an icon in your list of installed apps." Hancock: "This obscurity makes the issue particularly hard for users to identify any potential threats" [1]. The user cannot scan for what they cannot see, and "factory reset" on these devices frequently does not actually remove the offending package because it lives in a read-only system partition.

Google's January 28 write-up also named 13 ostensibly independent proxy and VPN brands that all ran on IPIDEA infrastructure: 360 Proxy, 922 Proxy, ABC Proxy, Cherry Proxy, Door VPN, Galleon VPN, IP 2 World, IPIDEA, Luna Proxy, PIA S5 Proxy, PY Proxy, Radish VPN, and Tab Proxy [3]. The same SDKs (PacketSDK, CastarSDK, HexSDK, EarnSDK) showed up across all of them, so buying what looks like a privacy product on top of an infected streaming box tends to make the problem worse, not better.

The FBI Has Now Warned Consumers Directly

EFF's piece links an FBI cyber alert the bureau published earlier this year, "Evading Residential Proxy Networks: Protecting Your Devices From Becoming a Tool for Criminals." The alert's consumer guidance, as quoted in the EFF post, is to avoid "TV streaming devices that claim to provide free sports, tv shows, and movies, a common tactic used by the makers of these malware-filled Android devices that leverages people's exhaustion from spending money on countless streaming services" [1][2].

That framing is the same one EFF has used in past years, and the FBI adopting it is the official-level confirmation. The alert came after the January 28 Google Cloud disclosure, and EFF's post is built to keep the consumer-facing pressure on retailers through Prime Day.

What Amazon Could Do, According to EFF

Hancock's post does not leave the ask vague. She lists three concrete moves she wants to see retailers make, and they double as a benchmark readers can check after Prime Day ends [1]:

  1. "A multi-billion dollar company like Amazon should offer more resources, like their anti-fraud efforts, given that these products may have facilitated conditions for large scale attacks and illegal activity."
  2. Communicate take-downs more visibly. EFF has long argued that consumers do not get told which products were removed from sale for malware reasons, so the same model numbers keep getting recommended in forums.
  3. Push for firmware transparency and manufacturer accountability beyond the storefront. "It's not just the storefronts. There are other parts of this ecosystem that need to improve too, like increased engagement in firmware transparency and the actual manufacturers of the devices themselves being held accountable for these malware laced products."

EFF has form here. The current post links back to a 2023 EFF investigation that found an off-brand Android TV box "sold on Amazon" pre-loaded with malware, and a separate 2023 investigation of a kid's tablet that came pre-loaded with sketchyware. The June 25 post is the third escalation in a thread EFF has been running for three years, and it lands at Prime Day for a reason.

What to Watch

Three inflection points are visible right now.

  • Prime Day take-downs. Prime Day is the visible test. If Amazon removes BADBOX-flagged listings at scale and posts a public take-down log with model numbers, EFF's ask was met. If the listings simply rotate to new SKUs under the same ODM names, that is the pattern Hancock warned about.
  • Google Play Protect coverage on certified devices. Google Cloud's January 28 disclosure noted that Play Protect was updated to warn, remove, and block future installs of apps containing IPIDEA SDKs on certified Android devices. Watch for that protection list to expand to additional SDKs as more clusters get attributed to the same actors.
  • FBI IC3 enforcement pipeline. The FBI alert cited by EFF was the public face. Behind the scenes, IC3 takes consumer complaints and routes them to field offices. If consumer reports spike during Prime Day around specific streaming boxes, that is the input channel for an actual seizure-and-forfeiture action, which is how the IPIDEA cluster got disrupted in the first place.

Sources

  1. EFF Deeplinks, Alexis Hancock: “Primed for Malware: Stop Selling Compromised Android Devices” (June 25, 2026)
  2. FBI Cyber Division: “Evading Residential Proxy Networks: Protecting Your Devices From Becoming a Tool for Criminals” (2026)
  3. Google Cloud Threat Intelligence: “No Place Like Home Network” (January 28, 2026)