Buyers of Used Devices Increasingly Find Malware

The increase in such cases was confirmed by Anton Chemiakin, head of the analytical department of Servicepipe. According to Vadim Soldatenkov, head of the "Garda Anti-DDoS" product group at "Garda," one cannot rule out the scenario of intentional resale of infected devices to expand botnet networks. In such a scheme, attackers purchase cheap equipment, install modified firmware with a malicious component, and sell it on the secondary market. The buyer receives an externally functioning device that starts working for the attacker from the moment it is turned on.

At the same time, cybersecurity expert Dmitry Kalinin from "Kaspersky Lab" stated that the company has not recorded any schemes of mass resale of "clean" devices after infection. Ashot Oganesyan, founder of the data leak intelligence and dark web monitoring service DLBI, also believes that intentional infection during repair or resale is unlikely.

"Botnets bring attackers mere cents per device and are only profitable in cases of capturing tens or hundreds of thousands of devices. It happens that unscrupulous sellers install Trojans on phones and computers that then go up for sale, but these malware are aimed at stealing information from banking applications, not creating botnets," he said.

According to experts, malware is much more often installed at the production stage. Chemiakin noted that budget Android gadgets from unknown brands may connect to botnets immediately upon activation. Dmitry Kalinin confirmed that cases of pre-installed malware have been detected even in new devices.

“For example, the Kimwolf backdoor was discovered in the firmware of some Android set-top boxes. There have been cases where an insecure configuration of the set-top box firmware led to infection by Kimwolf and other similar backdoors,” he said.

Botnets can include not only computers and smartphones but also any devices with Wi-Fi access: TV set-top boxes, network drives, and home appliances. According to Soldatenkov, devices in the "Internet of Things," such as routers and IP cameras, are particularly vulnerable. In the case of second-hand devices, the risk increases if the previous owner did not update the firmware and used weak passwords.

Glushakov believes that the rise in reports of infected devices may be related to an increase in cyber hygiene: more users are installing antivirus software and detecting hidden threats. He reminded that the Kimwolf botnet, which attacked companies worldwide, included more than 1.8 million infected Android devices—from tablets to smart photo frames.

Experts recommend that when purchasing second-hand equipment, one should immediately reinstall the operating system from an official image, perform a factory reset on smartphones, and install applications only from official stores. Before connecting a device to the home network, it should also be checked with antivirus software.