Motorola phones have started hijacking the Amazon app to insert affiliate codes

vine

Article by Ben Schoon on 9to5Google

Quote:

A truly bizarre situation on Motorola phones has led to the software hijacking the Amazon app to inject an affiliate code – even on the $1,900 Razr Fold.

The shady use of affiliate codes has become unfortunately common in recent years, with the most high-profile example being the PayPal-owned browser extension Honey. But a new situation on Motorola smartphones might top the charts in terms of sketchy behavior.

An app update on Motorola phones has started hijacking the Amazon app for the sake of injecting an affiliate code. To do that, tapping the app icon opens the user’s browser and immediately redirects to the Amazon app. It’s a “blink and you missed it” moment. This only happens when the user opens the Amazon app from the app drawer – not the homescreen pages.

... the whole article is at https://9to5google.com/2026/05/25/motorola-amazon-app-hijacking-behavior/

userofgos

vine See here: https://xcancel.com/GrapheneOS/status/2059764784464027702#m

The code was added by a company making functionality bundled by Motorola, likely as a form of insider attack where a developer working for that company included it to direct money to themselves. It wouldn't have been relevant to a GrapheneOS device.

It doesn't make any sense for a company to add referral codes directing money to an obscure Instagram influencer. The logical explanation based on the initial facts and the response is a developer working for Device Native or a dependency they used slipped it in to get money.

This is a regular issue in the software world. It often takes the form of someone obtaining control of a library dependency, app or extension which then ships adware or malware. This was only referral code injection. Look at all the recent supply chain attacks on npm, pypi, etc.

It looks like a form of supply chain attack doing something which wasn't authorized by Motorola.

GrapheneOS

vine The original article indicated it wasn't authorized through it being tied to an obscure Instagram account and now https://9to5google.com/2026/05/27/motorola-amazon-app-unintended/ has been published confirming it. There will hopefully be details about what went wrong from Motorola but it wasn't a decision by them to do this. It looks like a rogue contractor or employee working for a company making code for a component they use for something like a news feed for their launcher. It's not clear if this was done by a rogue contractor or employee vs. the company they were contracting this out to doing it without authorization vs. a supply chain compromise of a dependency. More details would be nice, but it hasn't been long since it happened. It could also be that the company making code they use provides this as an option and it was accidentally enabled, but the fact that it used a code tied to an obscure Instagram account makes that seem unlikely.

brev

Weird. Rogue employee potentially?

FunkTastic

brev That's why a separate non-stock secure OS matters.

whiskeywalrus

This is major news elsewhere, and accounting for GOS Motorola partnership, it would be interesting to get some response from the team on the situation.

de0u

whiskeywalrus What sort of response?

As I understand the plan, once GrapheneOS is installed on a Motorola device there would be zero Motorola apps, shopping apps or otherwise.

If tomorrow some Google app that is not part of GrapheneOS misbehaves, what sort of response would be expected from the GrapheneOS project?

whiskeywalrus

de0u more in the sense that they're partnering with a company that's potentially engaged in this type of behavior. I don't doubt GOS on Motorola devices will be secure. They aren't partnering with Google.

de0u

whiskeywalrus I don't speak for the GrapheneOS project, but I would expect comments from the project to be about the partnership: hardware details, availability dates, perhaps terms of the agreement (but also perhaps not). I would not particularly expect comments about application software unrelated to the partnership, especially not before details are nailed down.

But we'll see!