The digital photo frame on your shelf may look like it's cycling through vacation photos. Behind that slideshow, if it came from an unfamiliar third-party seller on Amazon or Walmart, it may be quietly routing bank fraud, phishing operations, and cyberattacks through your home internet connection.
The FBI issued public warnings in January and June 2026 confirming that millions of low-cost connected devices, including picture frames and streaming boxes, are arriving in homes preloaded with what security researchers call residential proxy software. Criminal networks pay device manufacturers, typically overseas, to embed the software at the factory level before the product ships. When you plug the device in, it phones home to a criminal server and registers your internet connection as available for rent. Fraudsters, bot operators, and attackers then pay to route their traffic through your address. The Digital Citizens Alliance, which tracks this category of crime, estimates that 20 million U.S. homes currently have at least one infected device.
A Wall Street Journal investigation this week demonstrated that the threat is still very real. The outlet bought five low-cost devices from Amazon and Walmart – digital photo frames and budget streaming boxes, purchased for under $800 total – and found every one connecting to criminal proxy networks immediately after being powered on. In a shielded test environment, investigators observed active denial-of-service attacks and repeated attempts to access the devices' own hardware controls in real time.
Several things on a box or product listing reliably signal risk. Streaming boxes advertised as "unlocked" or as a way to watch paid content for free were a consistent warning sign. The FBI's January 2026 advisory also flags devices that ask you to disable Google Play Protect during setup, and any device that directs you to download apps from stores other than Google Play. No legitimate streaming device requires you to turn off your device's security scanner to function.
If you want to check an Android streaming device you already own, open the Google Play Store app, tap your profile icon in the top right, go to Settings, then About, and look for "Play Protect certification." A safe device will show "Device is certified." If it says anything different, or if the Play Store isn't present at all, treat the device as suspect.
With digital photo frames, check whether your frame uses an app called Uhale to receive photos from your phone. If so, unplug it from your Wi-Fi. The Uhale app was a key delivery mechanism for malware. You can also check whether a digital picture frame uses the app by browsing the product listing on Amazon, opening Alexa for Shopping, and asking “What app does this product use?” In my testing, it positively identified the Uhale app for brands listed as malware channels by security researchers.
Have a lot of devices in your home and not sure where to start? Spur, an internet intelligence firm, offers a free public tool that instantly analyzes whether your home IP address is already registered as a proxy node. If the site reports "Observed Risks," unplug any connected devices you picked up from third-party marketplace sellers and run the test again to confirm your IP address is no longer at risk. If you use a VPN or Apple's iCloud Private Relay, make sure to turn them off before you run the test.
Going forward, stick to connected devices from established brands you can identify, and skip anything unusually cheap from a seller you've never heard of. Neither Amazon nor Walmart has a system for verifying the software on connected devices sold by third-party sellers. Criminal networks specifically seek out residential IP addresses, the kind assigned to home internet accounts, because banks and fraud-detection systems find them much harder to flag than traffic from data centers. If an IP trace leads to your front door before investigators rule you out, that's a serious problem regardless of your innocence.
Read more: The Best VPNs for Protecting Your Privacy
[Image credit: Suzanne Kantra/Techlicious generated by ChatGPT]
