PEACHPIT Botnet Harnesses Infected Mobile Devices
A botnet known as PEACHPIT, which engaged an extensive network of Android and iOS devices, was used by threat actors to generate illegal profits. This botnet is linked to a larger operation called BADBOX based in China, which involves the sale of off-brand mobile and connected TV devices on popular online retailers and resale platforms, all of which are compromised with Android malware called Triada.
PEACHPIT's associated apps were discovered in 227 countries and territories, with a peak estimate of 121,000 daily infected Android devices and 159,000 daily infected iOS devices, according to HUMAN Security.
This infection was achieved through a set of 39 apps that were downloaded over 15 million times. Devices containing the BADBOX malware allowed the operators to steal sensitive data, establish residential proxy exit points, and engage in ad fraud through fraudulent apps.
PEACHPIT Might Spread Through Supply Chain Attack
The method by which Android devices are compromised with a firmware backdoor is currently unclear, but there are indications of a hardware supply chain attack involving a Chinese manufacturer.
Threat actors could also use these compromised devices to create WhatsApp and Gmail accounts, making it difficult to detect as they appear to be created by genuine users.
Security researchers first documented this criminal operation in May 2023, attributing it to a group called Lemon Group.
HUMAN identified over 200 different types of Android devices, including mobile phones, tablets, and CTV products, that showed signs of BADBOX infection, indicating a widespread operation.
One significant aspect of the ad fraud scheme is the use of counterfeit apps on major app stores like the Apple App Store and Google's Play Store, as well as automatic downloads to compromised BADBOX devices. These apps contain a module that creates hidden WebViews to request, display, and interact with ads, making it appear as if the requests are coming from legitimate apps.
To combat this operation, the fraud prevention company collaborated with Apple and Google, and the threat actors have taken down the C2 servers responsible for the BADBOX firmware backdoor infection. As a result, the rest of BADBOX is now considered dormant.