Cybersecurity researchers from HUMAN recently discovered a major ad fraud botnet scheme they called PEACHPIT. The scheme involved dozens of apps, which were downloaded millions of times around the world and generated huge amounts of money for the developers through fraudulent advertisements.
To best understand PEACHPIT, we need to take a step back and look at BADBOX – a large-scale malicious operation from China, which TechRadar Pro reported on earlier this week.
BADBOX is a campaign in which hackers manage to inject malicious firmware into Android-powered TV streaming boxes in the production chain. As a result, people bought TV set-top boxes pre-loaded with malware. That malware could do a number of things, but it all starts with reaching the C2 server and getting further instructions.
BADBOX and PEACHPIT
Among these instructions were some that caused the download of fake apps, pretending to be something they were not. These apps hid advertisements behind the screen where no one could see them. The operators of the apps would then sell these fake impressions for profit through programmatic advertising. The botnet peaked at more than four billion fraudulent bid requests per day.
“This complete ad fraud loop means they monetized the fake ad impressions on their own fraudulent, counterfeit apps. And what makes matters worse is the level of obfuscation the operators went through to remain undetected, a sign of their increased sophistication,” HUMAN said in its report.
The malicious apps can also be downloaded standalone. There were a total of 39 such apps, across both iOS and Android ecosystems. The PEACHPIT botnet army had an estimated peak of 121,000 devices per day on Android and 159,000 devices per day on iOS, the researchers said. The apps have been downloaded more than 15 million times, in 227 territories around the world.