PEACHPIT Botnet

A fraudulent botnet known as PEACHPIT orchestrated the use of hundreds of thousands of Android and iOS devices to generate unlawful profits for the individuals responsible for this illicit operation. This botnet is just one component of a broader operation based in China, referred to as BADBOX, which involves the sale of off-brand mobile and connected TV (CTV) devices through popular online retailers and resale platforms. These devices are compromised with an Android malware strain known as Triada.

The network of applications associated with the PEACHPIT botnet was detected in a staggering 227 countries and territories. At its peak, it controlled approximately 121,000 Android devices per day and 159,000 iOS devices per day.

A Widespread Attack Campaign Affecting Hundreds of Different Android Device Types

The infections were facilitated by a collection of 39 applications, which were downloaded and installed over 15 million times. Devices infected with the BADBOX malware provided the operators with the capability to steal sensitive information, establish residential proxy exit points, and engage in ad fraud through these deceptive applications.

The exact method of compromising Android devices with a firmware backdoor remains unclear at present. However, there is evidence pointing to a potential hardware supply chain attack linked to a Chinese manufacturer. Using these compromised devices, threat actors are able to create WhatsApp messaging accounts by pilfering one-time passwords stored on the devices. Furthermore, cybercriminals can employ these devices to set up Gmail accounts, effectively bypassing typical bot detection mechanisms, as these accounts appear to be created from a standard tablet or smartphone by a genuine user.

What's particularly concerning is that over 200 different types of Android devices, including mobile phones, tablets, and connected TV products, have exhibited signs of BADBOX infection. This suggests a widespread and extensive operation orchestrated by the threat actors.

Threat Actors May Modify the PEACHPIT Botnet

One notable aspect of the ad fraud scheme involves the utilization of counterfeit applications designed for Android and iOS platforms. These fraudulent apps are distributed through major application marketplaces including the Google Play Store and the Apple App Store, and they are also automatically downloaded onto compromised BADBOX devices. Within these Android applications lies a module responsible for generating hidden WebViews. These hidden WebViews are subsequently employed to make requests, display ads, and simulate ad clicks, all while disguising these actions as originating from legitimate applications.

Working in collaboration with cybersecurity experts, both Apple and Google have made significant strides in disrupting this operation. An update rolled out earlier in 2023 has been identified as effectively removing the modules that power PEACHPIT on devices infected with BADBOX, in response to mitigation efforts implemented in November 2022. However, there are suspicions that the attackers are adapting their tactics in an effort to evade these defenses.