A notable example of an advertising fraud campaign that human cybersecurity experts recently discovered is the PEACHPIT botnet. Numerous apps were used in the scheme, which saw millions of downloads worldwide and generated enormous sums of money for the developers through false advertising.
The best way to understand PEACHPIT is to step back and consider BADBOX, a sizable malicious operation operating out of China.
During the BADBOX campaign, malicious firmware was successfully injected into Android-powered TV streaming devices at various stages of production. People started purchasing TV set-top boxes with malware pre-installed as a result. Although the malware was capable of a variety of activities, it always began by contacting the C2 server and requesting additional guidance.
PEACHPIT & BADBOX
Some of these instructions caused the download of phoney programs that were purporting to be something they weren’t. These apps were concealing advertisements behind the screen, out of sight. The owners of the apps would then make money by selling these fictitious impressions through programmatic advertising. At its peak, the botnet received more than four billion phoney bid requests every day.
Because of the “complete loop of ad fraud,” they were profiting from phoney ad impressions on their own phoney, faked apps. The level of obfuscation the operators used to avoid detection is an indication of their increased sophistication, which only serves to exacerbate the situation, according to Human’s research.
The malicious programs were also available as standalone downloads. There were 39 such apps in all, across the iOS and Android ecosystems. According to the researchers, the PEACHPIT botnet’s army peaked at 121,000 Android devices and 159,000 iOS devices every day. More than 15 million downloads of the apps were made in 227 different countries.
“The 39 apps that comprise the PEACHPIT botnet enabled threat actors to steal data and commit ad fraud on target devices. Users installed the malicious apps over 15 million times in total. Despite previous updates that remove the modules powering PEACHPIT and BADBOX-infected devices, Human Security claims they recently discovered over 200 compromised Android devices, suggesting the threat actor is attempting to bypass defensive efforts,” OOdaloop report stated.