Primed for Malware: Stop Selling Compromised Android Devices

EFF update
18 hours 25 minutes ago

Time and time again, researchers have found numerous compromised Android devices for sale at large online retailers like Amazon. When these devices get individually reported, we have seen some noted efforts to take them down. But this is a systemic problem and Amazon and other major online retailers must make a corresponding systemic and intentional effort to stop these devices from entering people’s homes and ultimately their networks.

As a refresher: Last year, Google wrote that one major campaign, deemed BADBOX, affected 10 million uncertified devices that were running Android’s open-source software (Android Open Source Project or AOSP). These devices span from TVs and streaming devices to digital picture frames. Even now, someone can go on Amazon and Walmart and buy one of these devices. Not all of them come from Amazon and Walmart, but it’s fair to assume since they have the lion’s share of the market.

Most well-known Android-based devices don’t come with just “stock Android.” The operating system is usually Android plus additional features that the manufacturer wanted. These custom versions of Android often come with pre-installed applications that range from useful to innocuous bloatware to actual malware. Many Android OEMs (original equipment manufacturers) pre-install apps that may not be visibly represented by an icon in your list of installed apps. This obscurity makes the issue particularly hard for users to identify any potential threats.

Since the initial BADBOX analysis, there have been more reports of large campaigns and clusters of different devices participating in malicious activities that utilize people’s home networks to engage in illegal activity. Task forces in the private sector have made an effort to take down these existing Command and Control structures, but these actors may pivot and evolve to flood the market with more devices. 

Online retailers can stop this cycle. A multi-billion dollar company like Amazon should offer more resources, like their anti-fraud efforts, given that these products may have facilitated conditions for large scale attacks and illegal activity. It would also be helpful if they communicated malware-related take downs in a more visible way to consumers who are seeking very similar devices with shared characteristics.

Identifying these devices can be tricky, but it’s not impossible because they tend to follow a pattern. For example, the FBI warned consumers this year to avoid TV streaming devices that claim to provide free sports, tv shows, and movies, a common tactic used by the makers of these malware-filled Android devices that leverages people’s exhaustion from spending money on countless streaming services. We detailed what sorts of indicators to look for on a device you’ve purchased.

But it’s not just the storefronts. There are other parts of this ecosystem that need to improve too, like increased engagement in firmware transparency and the actual manufacturers of the devices themselves being held accountable for these malware laced products.

On Prime Day, we urge retailers like Amazon to better empower users with information they need to make safe and smart decisions.

Alexis Hancock

EFF, TEDIC and CEJIL Challenge Secrecy in the Use of Face Recognition in Paraguay

EFF update
20 hours 48 minutes ago

Seeking transparency and accountability in Paraguay’s use of facial recognition, EFF, the Association of Technology, Education, Development, Research, Communication (TEDIC), and the Centre for Justice and International Law (CEJIL) filed a complaint with the Inter-American Commission on Human Rights against the state for arbitrarily denying access to information about its implementation and use of the technology as a tool for mass surveillance that erodes people’s privacy rights. 

The case involves the Ministry of the Interior and National Police’s installation in 2019 of surveillance cameras with facial recognition technology in Asunción. Maricarmen Sequera, a lawyer and executive director of TEDIC, filed an information request with the ministry seeking details and protocols about the implementation and use of facial recognition systems and the personal data processing involved. 

The request sought information about, among other things, whether the state had conducted human rights or data protection impact assessments, as well as if it had developed measures and protocols for avoiding abuses, illicit uses of personal data, and other risks in the deployment of the facial recognition system.

The state denied most of the information requested, arguing that implementation details, protocols, and the processing of individuals' personal data were confidential security information. TEDIC contested the secrecy in courts, but the analyses lagged and ultimately sustained the denial of information. 

The petition filed last Friday (19) cites Inter-American standards upholding the public’s right to access information, particularly in relation to national security, that the Paraguayan authorities disregarded in denying TEDIC’s information request. The petition also argues that the refusal of information violated privacy and the right to informational self-determination.

The petition asks the Commission to recognize a violation of those rights and require the state to deliver the information requested. Further, the petition seeks an order compelling the state to adopt mandatory permanent mechanisms of active transparency regarding the acquisition, contracting, implementation, financing, functioning, and use of surveillance technologies by public bodies, especially those that incorporate processing of biometric data or artificial intelligence systems. 

It also asks the Commission to order the state to mandatory procedures for human rights impact assessments prior to acquiring and using surveillance technologies, particularly those that collect biometric data or use artificial intelligence.

The state’s lack of transparency in this case is not an isolated incident, both in Paraguay and in Latin America, where opacity in matters of security and surveillance is the unsettling rule. The situation gets worse with the increasing normalization of intrusive surveillance technologies by states in the region.

The Special Rapporteur for Freedom of Expression of the Inter-American Commission emphasized that states should disclose surveillance capabilities and contracts, and acknowledge state use of surveillance technologies at a meaningful level of detail, to facilitate essential public debate on the necessary limitations of surveillance in democratic societies and ensure compliance with international human rights law.

We hope that the Inter-American Commission upholds the robust safeguards in the Inter-American System and advances access to information and privacy rights in a case that can set a crucial precedent for the region.

Karen Gullo

Tell Congress: Don’t Force Age Checks Online

EFF action alerts
21 hours 5 minutes ago

Congress is preparing to vote on the KIDS Act, a sweeping internet bill that would pressure websites and apps to determine users’ ages before allowing them to read websites, send private messages, or participate in online communities.

Electronic Frontier Foundation

Four Years After Dobbs, Anti-Abortion Lawmakers Keep Coming for Online Speech

EFF update
21 hours 15 minutes ago

This week marks four years since Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade’s constitutional protections for people seeking abortion care. Anniversaries are a moment to take stock, and over the last four years, EFF has seen firsthand how digital rights and reproductive rights have become increasingly intertwined. One major way this has happened: the fight over abortion has also become a fight over online speech and government censorship as a steady stream of proposed laws, cease-and-desist letters, lawsuits, and government investigations have targeted the websites and online resources that help people find and learn about reproductive healthcare.

This is an effort by anti-abortion government officials to mold the information ecosystem, restrict what people can read, and cut off the ways people communicate with one another. We’ve watched this build for years, and the encouraging news is that many of these efforts have failed. The worrying news is that they keep coming. And if they’re allowed to succeed, this could have repercussions for freedom of expression online beyond reproductive rights.

Targeting Sites That Just Share Information

The clearest tell that this is also a war on speech is that officials have aimed their efforts not just at abortion providers or the entities that prescribe and sell medication abortion, but also at websites that do nothing more than tell people what their options are, how to find a doctor, and where abortion remains legal.

Cease-and-Desists & Takedown Demands

State attorneys general have been hitting these online information hubs with cease-and-desist letters and takedown demands. Just this month, for example, Alabama Attorney General Steve Marshall sent cease-and-desist letters to multiple groups with abortion-related websites, including Plan C, a public health campaign that provides educational resources and research on abortion access. Plan C doesn’t sell or ship abortion pills. It simply provides information. Marshall’s office nonetheless claimed Plan C’s website “facilitates, aids, and abets” illegal abortion. The Arkansas attorney general similarly sent out cease-and-desists to several organizations regarding their websites, including Mayday Health, which, like Plan C, provides only information and does not directly prescribe or mail pills.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants.

In another example from earlier this year, North Dakota Attorney General Drew Wrigley threatened legal action and ordered the Prairie Abortion Fund to scrub information off of its website, not because the fund sold pills, but because its site linked to several outside informational resources. The Attorney General primarily focused on the fund’s link to Plan C, meaning the biggest alleged issue was a link to a website that links to other websites where pills can be accessed.

What’s especially concerning is that the state doesn’t have to win, or even file, a lawsuit to get what it wants. Especially for smaller organizations and funds, a letter threatening legal action can be enough to chill their speech, causing them to remove important content and go quiet.

Censorship Mandates

Legislators in multiple states have also attempted to make it illegal to share resources on how to obtain an abortion, including on purely informational websites with a national or global audience. South Dakota recently passed a law making it a felony to “advertise” anything “described in a manner calculated to lead another to use or apply it for producing an abortion.” Language this broad can easily apply to websites that simply engage in First Amendment-protected advocacy or provide educational resources. Mayday Health, which operates one such website, has since sued the state in federal court to block the law. The lawsuit argues the law could reach something as small as wearing a sweatshirt that carries Mayday’s web address.

Other state legislatures have made similar efforts. Last year, for example, Texas introduced a bill that would have made it illegal to “provide information” on how to obtain an abortion-inducing drug. If you exchanged emails, had an online chat, or created a website that shared information about legal abortion services in other states, you could have violated this bill. Luckily this particular bill did not pass, but Texas has attempted to pass similar laws for several years now.

Dressing Censorship Up as Consumer Protection

A major way anti-abortion officials are targeting online speech is by weaponizing consumer protection and deceptive advertising laws, claiming that providing information about abortion violates them. This tactic is a threat to free speech rights. The First Amendment protects publishing truthful information on a public issue, and the Supreme Court has expressly said that includes providing information about legal abortion in a state where it is illegal.

Yet states like South Dakota have continued to use deceptive advertising claims to go after abortion speech. Last year, South Dakota sent a cease-and-desist and then filed a lawsuit against Mayday Health for running ads that simply read: “Pregnant? Don’t want to be?” with a link to Mayday’s website. The state claimed the ads were “deceptive.” Mayday then counter-sued in federal court, challenging South Dakota’s actions under the First Amendment. Though the federal judge ultimately declined to step in while the parallel state case was pending, she made a point of saying she believed Mayday’s website constitutes “speech subject to protection under the First Amendment.”

Other states have attempted to run the same play. Missouri sued Planned Parenthood in 2025 under its consumer-protection statute, calling a webpage that says abortion pills are safe an “unfair and deceptive” trade practice. Florida went even further, invoking its RICO law—a law typically used for organized crime—over the same kind of statement. Florida leaned heavily on a single study funded by an anti-abortion think tank, even as major medical organizations and decades of research put the serious-complication rate below half a percent. States should not be able to cherry-pick studies in order to erase online speech.

Going After Intermediaries & Erasing Whole Websites

Some officials aren’t content to restrict only certain abortion-related content—they want the websites gone entirely.

Take, for example, the cease-and-desist letters sent by the Arkansas attorney general last year. Letters were sent directly to internet intermediaries (entities that facilitate use of the internet, such as internet service providers, web-hosting providers, or things like search engines and social media platforms). The letters demanded that both a domain registry company and a web host stop supporting a site that discusses abortion drugs. But as we know, if we cut off the host or the domain, the speech disappears for everyone—not just for people in Arkansas.

Likewise, Texas’s 2025 bill would have required intermediaries to take down abortion-related content. It’s worth remembering that the imposition of civil and criminal liability on intermediaries also conflicts with a federal law that protects online intermediaries’ ability to host user-generated speech, 47 U.S.C. § 230 (“Section 230”), including speech about abortion medication.

The push has gone federal, too. In March 2026, Senator Bill Cassidy and colleagues on the Senate Health, Education, Labor and Pensions Committee pressed the FDA to use every tool it has against online sellers, including leaning on the domain registrars that keep these sites online.

Why This Should Worry Everyone

It’s tempting to see this as limited to the fight over reproductive rights. That would be a mistake. For people seeking care, the immediate harm is obvious: the internet is often the only place to find accurate, potentially life-saving information, and every letter, lawsuit, and takedown threat makes that information harder to find and riskier to share.

But the damage doesn’t stop there. We’re witnessing a live experiment in how to use consumer-protection laws, criminal statutes, and pressure on intermediaries to suppress a disfavored viewpoint, pull information offline, and make websites disappear. To think these tactics can only be used against abortion speech would be naïve. 

We hope courts and legislatures will continue to protect free speech online. But the continued drumbeat of threatening letters, lawsuits, and investigations is its own kind of harm. Here at EFF, we’ll keep defending the right to share and read information online—about abortion, and about everything else.

Lisa Femia