Beware of Devices with an Ad Fraud Botnet Named PEACHPIT

An ad fraud botnet known as PEACHPIT has exploited thousands of Android and iOS devices to generate unlawful profits for the threat actors responsible for the scheme.

This botnet is part of a larger operation called BADBOX, originating from China, which involves the sale of off-brand mobile and connected TV (CTV) devices on popular online marketplaces and resale sites. These devices are tainted with Android malware called Triada.

“BADBOX is a complex, interconnected series of fraud schemes, the scale of which is virtually invisible from the surface.”

https://x.com/SecureWithHUMAN/status/1709606859357692012?s=20

Details about PEACHPIT

The PEACHPIT botnet’s network of associated apps was discovered in 227 countries and territories, reaching a peak of 121,000 Android devices and 159,000 iOS devices daily. 

Infections occurred through 39 apps that were downloaded more than 15 million times. 

The malware-infected devices enabled the operators to steal sensitive data, establish residential proxy exit peers, and carry out ad fraud through fraudulent apps.

The method of compromising Android devices with a firmware backdoor remains unclear, but it is suspected to involve a hardware supply chain attack. 

This backdoor also allows threat actors to create messaging accounts on platforms like WhatsApp by pilfering one-time passwords from the compromised devices. 

Additionally, it enables them to create Gmail accounts that appear legitimate and evade bot detection.

Do we know it?

This ad fraud operation was initially documented by Trend Micro in May 2023, attributing it to a group known as Lemon Group. 

HUMAN, a fraud prevention company, identified over 200 different Android device types, including mobile phones, tablets, and CTV products, that showed signs of BADBOX infection.

What’s more concerning?

The attribute of this Ad fraud is the use of counterfeit apps available on significant app marketplaces like the Apple App Store and Google Play Store, as well as apps automatically downloaded onto compromised BADBOX devices. 

These apps contain a module responsible for creating hidden WebViews, which are then used to request, render, and click on ads while disguising the ad requests as legitimate app activities.

HUMAN collaborated with Apple and Google to disrupt the operation, leading to the takedown of the C2 servers powering the BADBOX firmware backdoor infection. 

The HUMAN Satori Threat Intelligence and Research team's successful disruption of the BADBOX and PEACHPIT botnet is huge. These are multifaceted operations built into each other that unfolded in a very intricate manner. Let's unpack them. https://t.co/Vtsl18DxRj #KnowWhosReal pic.twitter.com/G6E2D9pqZ2

— HUMAN (@SecureWithHUMAN) October 4, 2023

However, an update released earlier this year removed the modules responsible for PEACHPIT on BADBOX-infected devices in response to mitigation measures implemented in November 2022. 

The attackers are suspected of adjusting their tactics to evade detection. The level of obfuscation employed by the threat actors highlights their increased sophistication. 

As a result, individuals could unintentionally purchase a BADBOX device online without realizing it’s fake, unwittingly opening the door to this backdoor malware.

Security is An Ongoing Process

Threat actors are creative! PEACHPIT within the larger BADBOX operation is evidence that intruders have many ways to exploit your data. 

It calls for a broader conversation about device integrity, supply chain security, and the responsibility of online marketplaces to ensure the authenticity and security of the products they host.