Mostly from China. I’m not quite convinced that the Chinese government isn’t involved.

From iPods to navigation systems, some of today’s hottest gadgets are landing on store shelves with some unwanted extras from the factory: pre-installed viruses that steal passwords, open doors for hackers and make computers spew spam.
[…]
Recent cases reviewed by The Associated Press include some of the most widely used tech devices: Apple iPods, digital picture frames sold by Target and Best Buy stores, and TomTom navigation gear.

In most cases, Chinese factories — where many companies have turned to keep prices low — are the source.
So far, the virus problem appears to come from lax quality control, perhaps a careless worker plugging an infected music player into a factory computer used for testing, rather than organized sabotage by hackers or the Chinese factories.
[…]
Jerry Askew, a Los Angeles computer consultant, bought a Uniek digital picture frame to surprise his 81-year-old mother for her birthday. But when he added family photos, it tried to unload a few surprises of its own.
When he plugged the frame into his Windows PC, his antivirus program alerted him to a threat. The $50 frame, built in China and bought at Target, was infected with four viruses, including one that steals passwords.
[…]
Security experts say the malicious software is apparently being loaded at the final stage of production, when gadgets are pulled from the assembly line and plugged in to a computer to make sure everything works.
If the testing computer is infected — say, by a worker who used it to charge his own infected iPod — the digital germ can spread to anything else that gets plugged in.
[…]
In one case, digital frames sold at Sam’s Club contained a previously unknown bug that not only steals online gaming passwords but disables antivirus software, according to security researchers at CA Inc.