Cyberthreat.id – An ad fraud botnet dubbed PEACHPIT exploits hundreds of thousands of Android and iOS devices to generate illegal profits for the threat actors behind the scheme. That’s the report The Hacker News.
The botnet was part of a larger China-based operation codenamed BADBOX, which also included off-brand sales of mobile devices and connected TVs (CTVs) at popular online retailers and retailer sites that had a strain of Android malware called Triada.
“The PEACHPIT botnet-related app conglomerate was discovered in 227 countries and territories, with a peak estimate of 121,000 devices per day on Android and 159,000 devices per day on iOS,” HUMAN told The Hacker News.
The infection is said to have occurred via a collection of 39 apps installed more than 15 million times. Devices equipped with BADBOX malware allow operators to steal sensitive data, create residential outbound proxies, and commit advertising fraud through fake applications.
It is currently unclear how Android devices were compromised with firmware backdoors, but evidence points to a hardware supply chain attack from Chinese manufacturers.
“Threat actors can also use backdoor devices to create WhatsApp messaging accounts by stealing one-time passwords from those devices,” the company said.
“Additionally, threat actors can use the device to create Gmail accounts, avoiding typical bot detection because the accounts look like they were created on a regular tablet or smartphone, by a real person.”
Details about this criminal enterprise were first documented by Trend Micro in May 2023, and linked it to an enemy it tracked as the Lemon Group.
HUMAN identified at least 200 different types of Android devices, including phones, tablets, and CTV products, that have shown signs of BADBOX infection, indicating widespread operations.
An important aspect of ad fraud is the use of fake apps on Android and iOS that are available on major app markets such as the Apple App Store and Google Play Store as well as apps that are automatically downloaded to BADBOX devices that have a backdoor.
Present in the Android application is a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and disguise ad requests as coming from a legitimate application, a technique previously observed in the case of VASTFLUX.
The fraud prevention company noted that it worked with Apple and Google to disrupt the operation, adding “The remainder of BADBOX should be considered inactive: the C2 server driving the BADBOX firmware backdoor infection has been removed by the threat actor.”
What’s more, an update rolled out earlier this year apparently removed PEACHPIT-enabled modules on BADBOX-infected devices in response to mitigation measures implemented in November 2022.
However, it is thought the attackers were adapting their tactics to evade the defense.
Pre-installed malware on Android devices has been a recurring phenomenon since at least 2016, primarily spreading through low-cost smartphones and tablets, according to multiple reports from cybersecurity vendors Doctor Web and Check Point.
“What made matters worse was the level of confusion experienced by operators to the point of going undetected, a sign of their increasing sophistication,” HUMAN said.
“Anyone could accidentally purchase a BADBOX device online without knowing it is fake, plug it in, and unknowingly expose this backdoor malware.”[]