I order to get a device that is not explicitly compromised with custom targeted malware one could: take a walk, enter a random shop, buy a device. Now you only have the standard malware that everyone gets preinstalled on their devices.
How to keep it free of custom targeted malware? That is another question!
With a target like Snowden who is under constant surveillance and lives at the whim of his host country, he could expect that any off the shelf hardware he bought would be immediately compromised. His hosts would just make up some bullshit reason to part him from the device for several minutes and do an evil maid attack. Or from afar his hosts or another country's actors could exploit undisclosed vulnerabilities in his device's wifi or bluetooth layer that they have in their toolkit.
How to keep it free of custom targeted malware? That is another question!