An ad fraud botnet dubbed PEACHPIT leveraged an army of hundreds of thousands of Android and iOS devices to generate illicit profits for the threat actors behind the scheme.
The botnet is part of a larger China-based operation codenamed BADBOX, which also entails selling off-brand mobile and connected TV (CTV) devices on popular online retailers and resale sites that are backdoored with an Android malware strain called Triada.
“The PEACHPIT botnet’s conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS,” HUMAN said.
The infections are said to have been realized through a collection of 39 apps that were installed more than 15 million times. Devices fitted with the malware allowed the operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through the bogus apps.
It’s currently not clear how the Android devices are compromised with a firmware backdoor, but evidence points to a hardware supply chain attack.
“Threat actors can also use the backdoored devices to create WhatsApp messaging accounts by stealing one-time passwords from the devices,” the company said.
“Additionally, threat actors can use the devices to create Gmail accounts, evading typical bot detection because the account looks like it was created from a normal tablet or smartphone, by a real person.”
Details about the criminal enterprise were first documented by Trend Micro in May 2023, attributing it to an adversary it tracks as Lemon Group.
HUMAN said that it identified at least 200 distinct Android device types, including mobile phones, tablets, and CTV products, that have exhibited signs of BADBOX infection, suggesting a widespread operation.
A notable aspect of the ad fraud is the use of counterfeit apps on Android and iOS made available on major app marketplaces such as the Apple App Store and Google Play Store as well as those that are automatically downloaded to backdoored BADBOX devices.
Present within the Android apps is a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps, a technique previously observed in the case of VASTFLUX.
The fraud prevention firm noted that it worked with Apple and Google to disrupt the operation, adding “the remainder of BADBOX should be considered dormant: the C2 servers powering the BADBOX firmware backdoor infection have been taken down by the threat actors.”
What’s more, an update pushed out earlier this year has been found to remove the modules powering PEACHPIT on BADBOX-infected devices in response to mitigation measures deployed in November 2022.
That having said, it’s suspected the attackers are adjusting their tactics in a likely attempt to circumvent the defenses.
“What makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication,” HUMAN said. “Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware.”