An ad fraud network called PEACHPIT used hundreds of thousands of Android and iOS devices to generate illegal profits for the criminals behind this scheme. This botnet is part of a larger China-based operation named BADBOX, which also involves the sale of generic mobile and connected TV (CTV) devices on popular e-commerce and resale websites. These devices are infected with an Android malware called Triada.
HUMAN, a fraud prevention company, revealed that the apps associated with the PEACHPIT botnet were present in 227 countries and territories, with an estimated peak of 121,000 devices per day on Android and 159,000 devices per day on iOS. These infections were caused by a collection of 39 apps installed over 15 million times. The infected devices allowed operators to steal sensitive data, create residential proxies, and commit ad fraud through these fraudulent apps.
The exact method by which Android devices are compromised with a firmware‑level backdoor remains unclear, but evidence points to a hardware supply‑chain attack. Criminals can also use these compromised devices to create WhatsApp accounts by stealing the devices’ one‑time passwords. Additionally, they can use these devices to create Gmail accounts, thereby evading bot detection, since these accounts appear to have been created from ordinary tablets or smartphones by real people.
HUMAN identified at least 200 different types of Android devices, including mobile phones, tablets, and CTV products, showing signs of BADBOX infection, highlighting the scale of the operation. A key feature of this ad fraud is the use of counterfeit apps on Android and iOS, available on major app download platforms such as the Apple App Store and Google Play Store, as well as on BADBOX-infected devices via automatic downloads.
These Android apps contain a module capable of creating hidden WebViews used to request, display, and click on ads. These ad requests are masked as coming from legitimate apps, a technique previously observed in the VASTFLUX case.
HUMAN collaborated with Apple and Google to disrupt the operation, successfully taking offline the command‑and‑control servers for the BADBOX firmware backdoor infection. Despite this, the attackers are likely adjusting their tactics to try to evade defenses. What makes the situation even more worrying is the level of obfuscation the operators used to remain unnoticed, demonstrating their increased sophistication. It is therefore possible to buy a counterfeit BADBOX device online without knowing it, plug it in, and inadvertently open this malicious backdoor.