An ad fraud botnet named PEACHPIT has exploited a multitude of devices, including hundreds of thousands of Android and iOS devices to generate illicit profits for the cybercriminals behind the hacking scheme.

The origins of PEACHPIT

The botnet is part of a larger China-based operation called BADBOXwhich also includes the sale of unknown brand connected mobile devices and TVs on popular online retailers and resale sites that are been infected by a strain of Android malware called Triad.

HUMAN has declared: “The conglomerate of [varie] apps associated with the PEACHPIT botnet were found in 227 countries and territories, with an estimated peak of 121,000 devices per day on Android and 159,000 devices per day on iOS“.

It appears that the infections were carried out through a collection of 39 apps installed more than 15 million times and that devices equipped with the BADBOX malware allowed operators to steal sensitive data, create residential proxy exit peers, and commit ad fraud through fake apps.

It is currently unclear how Android devices are compromised with a firmware backdoor, but evidence indicates that it is the result of an attack supply chain to hardware from a Chinese manufacturer.

“An attacker can also use the infected devices for create WhatsApp messaging accounts by stealing one-time passwords from devices“, the company said.

“Additionally, bad actors can use the devices to create Gmail accounts, evading typical bot detection because theaccount appears to have been created from a regular tablet or smartphonefrom a real person“.

But that’s not all, details about the criminal enterprise were first documented by Trend Micro in May 2023, attributing them to a group of hackers that is called Lemon Group.

HUMAN said it had identified at least 200 distinct types of Android devicesincluding mobile phones, tablets and CTV products, which showed signs of BADBOX infection, suggesting widespread operation.

A notable aspect of the ad fraud performed by PEACHPIT is the use of counterfeit apps (fake applications that imitate the real thing) on ​​Android and iOS available on major app marketplaces such as the Apple App Store and Google Play Store, as well as those automatically downloaded to infected BADBOX devices.

Within Android apps there is a module responsible for creating hidden WebViews which are then used to request, view and click on ads, PEACHPIT, in fact, does ad requests as coming from legitimate appsa technique previously observed in the case of VASTFLUX.

The fraud prevention company said it worked with Apple and Google to stop the operation, adding “the rest of BADBOX should be considered inactive: C2 servers powering the BADBOX firmware backdoor infection have been taken down by attackers“.

Furthermore, it was discovered that an update released earlier this year removed the modules that power PEACHPIT on devices infected with BADBOX in response to mitigation measures implemented in November 2022.

That said, attackers are suspected to be adapting their tactics in an attempt to bypass defenses; Pre-installed malware on Android devices has been a recurring phenomenon since at least 2016mainly widespread through Cheap smartphones and tabletssecond numerous reports from cybersecurity providers Doctor Web and Check Point.

“What makes matters worse is the level of concealment that the operators have resorted to to go unnoticed, a sign of their growing sophistication“said HUMAN. “Anyone can accidentally purchase a BADBOX device online without ever knowing it was fake, plug it in, and unknowingly open this malware with a backdoor“.

How to know if I get PEACHPIT on my phone

This time we’re not talking about malware that you download, but rather malware pre-installed on cheap devices, the best thing to do is buy the well-known and not cheap brands in this case and the solution could be if you own one of these devices some firmware that does not have this problem.

In any case, a pass by Malwarebytes It might not be a bad idea.