Millions of hacked Android and iOS phones are being used to run a massive ad fraud campaign

(Image credit: Shutterstock / BeeBright)

Cybersecurity researchers from HUMAN recently discovered a major ad fraud botnet scheme they called PEACHPIT. The scheme involved dozens of apps, downloaded millions of times all across the world, generating huge amounts of money for the developers, through fraudulent advertising.

To best understand PEACHPIT we need to take a step back and look at BADBOX - a large-scale malicious operation coming from China, which TechRadar Pro reported on earlier this week.

BADBOX is a campaign in which hackers managed to inject malicious firmware into Android-powered TV streaming boxes in the production chain. As a result, people were buying TV set-top boxes that came pre-loaded with malware. That malware was capable of doing a number of things, but it all starts with reaching out to the C2 server and getting further instructions.


Among these instructions were some that triggered the download of fake apps, pretending to be something they’re not. These apps were hiding ads behind the screen where nobody could see them. The apps’ operators would then sell these fake impressions through programmatic advertising, for profit. The botnet peaked at more than four billion fraudulent bid requests a day.

“This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps. And what makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication,” HUMAN said in its report. 

The malicious apps could also be downloaded standalone. There were a total of 39 such apps, both for iOS and Android ecosystems. The PEACHPIT botnet’s army had an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS, the researchers said. The apps were downloaded more than 15 million times, in 227 territories around the world.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.