Unpacking BADBOX

HUMAN’s Satori Threat Intelligence and Research team announced the disruption of the PEACHPIT ad fraud botnet and their research into the larger BADBOX fraud empire. Let’s unpack what we discovered.

 

The story continues with BADBOX 2.0…

Blog

Technical Report

Press Release

What is BADBOX?

BADBOX is a complex threat actor scheme that begins with malware deployed on physical off-brand Android devices (TVs, cellphones, tablets) along the supply chain process in China.
TRIADA is the malware of choice used to get BADBOX into these off-brand devices.
Our team’s investigation of the PEACHPIT ad fraud botnet led us to discover a connection with BADBOX. HUMAN’s Satori Threat Intelligence and Research Team observed more than 74,000 Android-based mobile phones, tablets, and CTV boxes showing signs of infection.

What is PEACHPIT?

PEACHPIT is an ad fraud branch that comes from the root of the BADBOX tree.

The PEACHPIT botnet’s conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS.

The collection of 39 Android, iOS, and CTV-centric apps impacted by the scheme were installed more than 15 million times before the apps were taken down.

Who is Impacted?

BADBOX affects consumers from both the public and private sector.

If left unchecked, the PEACHPIT ad fraud linked to BADBOX would continue to expand.

Human’s Visibility

HUMAN’s visibility allowed us to identify more than 200 potentially impacted device types.

Of the devices HUMAN acquired from online retailers, 80% were infected with BADBOX.

PEACHPIT Volume Over Time

Our process involves checking for adapted and recurring threats.

Our visibility and extensive data resources led us to uncover the PEACHPIT ad fraud botnet, and subsequently the BADBOX operation.

Once identified, we worked with industry partners to disrupt the PEACHPIT threat in realprotect our partners and their customers. This is the result of modern defense at work.

HUMAN applies modern defense to make these operations more expensive for fraudsters. Together, we can disrupt the economics of cybercrime.

Start a Conversation

Be the first to see our next takedown.

Follow us on X

Follow us on LinkedIn
BgBlack

Related Resources

HUMAN BLOG

Traffic signals: The VASTFLUX Takedown

READ NOW

HUMAN BLOG

Poseidon’s Offspring: Charybdis and Scylla

READ NOW

HUMAN BLOG

Disrupting PARETO

READ NOW