PEACHPIT: Ad Fraud Botnet on a Massive Scale - Millions of Hacked Android and iOS Devices

PEACHPIT, an ad fraud botnet, harnessed an army of hundreds of thousands of Android and iOS devices to generate illegal earnings for the scheme’s threat actors.

This botnet is a component of a more extensive China-based operation called BADBOX, which includes the sale of off-brand mobile and connected TV (CTV) devices on well-known online retailers and resale sites. These devices have been compromised with an Android malware strain known as Triada.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

“The PEACHPIT botnet’s conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS,” as reported by the company.

These viruses are believed to have been disseminated through a collection of 39 apps that garnered over 15 million installations. By utilizing devices infected with the BADBOX malware, the operators managed to gather personal data, establish residential proxy exit nodes, and engage in ad fraud through fraudulent apps.

The method of infiltrating the Android smartphones with a firmware backdoor remains unclear; however, evidence strongly suggests a hardware supply chain attack by a Chinese manufacturer.

“Threat actors can also use the backdoored devices to create WhatsApp messaging accounts by stealing one-time passwords from the devices,” as noted by the company.

“Additionally, threat actors can use the devices to create Gmail accounts, evading typical bot detection because the account looks like it was created from a normal tablet or smartphone, by a real person.”

Trend Micro first documented specifics about this criminal operation in May 2023, attributing it to an adversary identified as Lemon Group.

HUMAN highlighted that over 200 distinct Android device types, encompassing mobile phones, tablets, and CTV products, have displayed signs of BADBOX infection, underscoring the scale of this operation.

A significant aspect of ad fraud involves the utilization of counterfeit Android and iOS apps found on prominent software platforms like the Apple Software Store and Google Play Store. Additionally, apps automatically downloaded onto compromised BADBOX devices contribute to this fraudulent activity.

A module is present within the Android apps that is responsible for producing hidden WebViews, which are then utilized to request, render, and click on advertisements. This action is done while disguising the ad requests as originating from legitimate apps, a strategy previously observed in the case of VASTFLUX.

The fraud protection company stated that it collaborated with Apple and Google to disrupt the operation and emphasized that “the remainder of BADBOX should be considered dormant: the C2 servers powering the BADBOX firmware backdoor infection have been taken down by the threat actors.”

Additionally, an update released earlier this year was found to remove the modules powering PEACHPIT on BADBOX-infected devices as a response to mitigation measures implemented in November 2022.Having said that, there is a suspicion that the attackers are adapting their techniques to evade existing defences.

As per numerous investigations conducted by cybersecurity providers Doctor Web and Check Point, the presence of pre-installed malware on Android devices has been an ongoing issue since at least 2016, primarily spread through low-cost smartphones and tablets.

“What makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication,” stated HUMAN. “Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware.”