Motorola Preinstalled App Hijacks Amazon for Affiliate Codes

A hidden system application bundled with Motorola smartphones has been identified intercepting user-initiated Amazon app launches. This preinstalled app then silently redirects them through affiliate tracking URLs. The discovery raises serious concerns about supply chain integrity, user consent, and undisclosed revenue practices on premium Android devices.

The behavior was first reported by a Motorola Razr 60 Ultra user on Reddit, who noticed that tapping the Amazon app icon no longer opened the app directly. Instead, the device launched a browser session pointing to an unfamiliar URL, which subsequently redirected to Amazon.com with an embedded affiliate code.

Network traffic analysis revealed that a preinstalled, hidden system app called Smart Feed was the culprit. The app makes outbound requests to devicenative[.]com an external server that appears to supply target app configurations and affiliate codes.

When a user taps a shopping app icon in the launcher, Smart Feed intercepts the intent and substitutes it with a browser redirect carrying the monetization payload.

The attack flow is straightforward:

• User taps Amazon (or potentially other shopping apps) in the launcher
• Smart Feed intercepts the launch intent before it reaches the target app
• App queries devicenative[.]com for affiliate parameters
• Browser opens with a redirect URL that resolves to Amazon with an injected affiliate tag
• User lands on Amazon.com, unaware that revenue credit has been claimed

The redirection would go completely unnoticed unless the user had disabled the “Open links in app by default” setting a non-default configuration most users never change.

Beyond the obvious financial misconduct, this behavior exhibits traits typically associated with adware and banking trojan techniques: intent hijacking, hidden system-level persistence, and external C2-style communication with a remote server (devicenative[.]com) to dynamically configure targeting. The use of a hidden preinstalled app prevents users from easily discovering or uninstalling it.

From a threat modeling perspective, the same architecture that today injects affiliate codes could theoretically be updated server-side to redirect users to phishing pages or credential-harvesting sites.

The reliance on an external domain for behavioral instructions is particularly alarming, as it means the app’s functionality can change without any firmware update.

The issue has been confirmed on the Motorola Razr 60 Ultra, a flagship device retailing at approximately $1,300. It remains unclear whether the behavior extends to other Motorola models or regional variants.

The domain devicenative[.]com suggests a third-party monetization SDK or affiliate partner may be involved rather than Motorola engineering this directly, though that distinction does little to reduce Motorola’s accountability for bundling such software.

Motorola has not issued an official statement as of publication. The 9to5Google report from May 25, 2026, brought wider attention to the findings.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.