CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

A hidden system application bundled with Motorola smartphones has been caught intercepting user-initiated Amazon app launches and silently redirecting them through affiliate tracking URLs, raising serious concerns about supply chain integrity, user consent, and undisclosed revenue practices on premium Android devices. The behavior was first reported by a Motorola Razr 60 Ultra user on Reddit, […] The post Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes appea

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes By Guru Baran May 27, 2026 A hidden system application bundled with Motorola smartphones has been caught intercepting user-initiated Amazon app launches and silently redirecting them through affiliate tracking URLs, raising serious concerns about supply chain integrity, user consent, and undisclosed revenue practices on premium Android devices. The behavior was first reported by a Motorola Razr 60 Ultra user on Reddit, who noticed that tapping the Amazon app icon no longer opened the app directly. Instead, the device launched a browser session pointing to an unfamiliar URL, which subsequently redirected to Amazon.com with an embedded affiliate code. Network traffic analysis revealed that a preinstalled, hidden system app called Smart Feed was the culprit. The app makes outbound requests to devicenative[.]com an external server that appears to supply target app configurations and affiliate codes. When a user taps a shopping app icon in the launcher, Smart Feed intercepts the intent and substitutes it with a browser redirect carrying the monetization payload. The attack flow is straightforward: User taps Amazon (or potentially other shopping apps) in the launcher Smart Feed intercepts the launch intent before it reaches the target app App queries devicenative[.]com for affiliate parameters Browser opens with a redirect URL that resolves to Amazon with an injected affiliate tag User lands on Amazon.com, unaware that revenue credit has been claimed The redirection would go completely unnoticed unless the user had disabled the “Open links in app by default” setting a non-default configuration most users never change. Beyond the obvious financial misconduct, this behavior exhibits traits typically associated with adware and banking trojan techniques: intent hijacking, hidden system-level persistence, and external C2-style communication with a remote server (devicenative[.]com) to dynamically configure targeting. The use of a hidden preinstalled app prevents users from easily discovering or uninstalling it. From a threat modeling perspective, the same architecture that today injects affiliate codes could theoretically be updated server-side to redirect users to phishing pages or credential-harvesting sites. The reliance on an external domain for behavioral instructions is particularly alarming, as it means the app’s functionality can change without any firmware update. The issue has been confirmed on the Motorola Razr 60 Ultra, a flagship device retailing at approximately $1,300. It remains unclear whether the behavior extends to other Motorola models or regional variants. The domain devicenative[.]com suggests a third-party monetization SDK or affiliate partner may be involved rather than Motorola engineering this directly, though that distinction does little to reduce Motorola’s accountability for bundling such software. Motorola has not issued an official statement as of publication. The 9to5Google report from May 25, 2026, brought wider attention to the findings. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in Attacks Latest News Android New BTMOB Malware Lets Attackers Remotely Control Android Devices Cyber Security News CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in Attacks Cyber Security News GitHub Enterprise Server 3.20.3 Released With Fox for Critical Vulnerabilities Cyber Security News Windows Kernel Vulnerability Allows Attackers to Modify Kernel Memory Counters Press Release Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗