Did You Unexpectedly Receive A Smartwatch In The Mail? It's Probably Laced With Malware

Attempts at or unintended incidents of tracking military members have been happening for years, such as when the Strava running app leaked the location of military bases thanks to a published heat map of running locations. Now, however, a threat actor is either being incredibly precise, or companies are just trying to bump their metrics on Amazon by sending potentially malware-ridden smartwatches to US Army personnel.

Earlier in June, the Army’s Criminal Investigation Division (CID) posted a lookout warning regarding smartwatches received by mail. Reportedly, service members across all military branches were randomly receiving unsolicited smartwatches in the mail. These watches, if used, would auto-connect to WiFi and connect to cell phones unprompted, giving them access to “a myriad of user data.” The concern is that the sender of these unsolicited smartwatches may have tampered with them to include malware that would send back banking information, contact details, and account credentials, among other potentially sensitive information.


A less sinister potential reason for this unsolicited smartwatch ordeal is something called ‘brushing.’ This is where a scammer, typically a foreign third-party seller online, sends out products to addresses to make it appear that the receiver is a verified product buyer. Then, it can write a review as the receiver to boost the scam company’s statistics online, thereby increasing potential sales, which outweighs the cost of lost products.

Regardless of whether there is a sinister intelligence operation behind this or a company simply bumping fake reviews, it is not recommended that anyone use unrequested free stuff sent in the mail. For military members, the CID asks that if you receive a ‘free’ smartwatch, do not turn it on, report it to your local counterintelligence, security manager, or submit a tip through the CID’s reporting portal.