HUMAN’s Satori Threat Intelligence and Research team announced today the disruption of the PEACHPIT ad fraud botnet and their research into the larger BADBOX fraud empire. The BADBOX operation, based out of China, sold off-brand mobile and Connected TV (CTV) devices on popular online retailers and resale sites. These Android devices came preloaded with a known malware called Triada. Once the device was turned on or plugged in, those devices called home and got several “modules” of fraud installed on them remotely. One of which was an ad fraud module we dubbed PEACHPIT. This cybercriminal enterprise didn’t discriminate - they went after consumers around the world both in the private and public sectors. 

The PEACHPIT botnet’s army had an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS. Of the devices HUMAN acquired from online retailers, 80% were infected with BADBOX. Thanks to HUMAN’s MediaGuard, we were able to disrupt the PEACHPIT ad fraud botnet from attacking the programmatic advertising ecosystem, cutting into the profits of the larger BADBOX empire as a whole.

So what does this all mean to those impacted and what can we learn from this? Let’s dive into it.

If you’re looking for a deep dive into the expertise of the Satori team - how they found it, the technical details of the malware, and more - check out our technical report.

Organized Cybercrime & Ad Fraud

You come to me on the day of PEACHPIT’s disruption.

It’s not exactly like The Godfather. But there is something to be learned here about organized cybercrime - how they’re able to use multiple fraud models to turn a profit and iterate on their tactics using their abundant resources. 

Triada—the malware used to implant the backdoor in BADBOX—was heavily reported on upon its discovery in 2016 because of its sophistication and ability to adapt. It was able to hide using advanced techniques and it used a command-and-control server process which could deliver unique modules (aka kinds of fraud)  to "VIP targets.” Once installed, it could read, write, and edit everything on the phone, but with an initial focus on SMS messages since this is where one-time-passwords are shared, login credentials, and other sensitive details. 

In 2019, BADBOX’s operators tried their hand at ad fraud, but it didn’t scale up. They would install spam apps that would show ads on devices, draining battery for the device owners and making money from the ad revenue in the background. Even though that scheme didn’t prove as fruitful, it became obvious that these malware-infected devices are ready to go with whatever module the BADBOX operators decide to implement next. Like hundreds of thousands of henchmen waiting for their marching orders around the globe.

Enter: Satori. In 2022, the Satori team identified a new source of fake advertising impressions (with fraud across 4 billion ad requests per day). This was a new ad fraud module of BADBOX, hiding ads behind the screen where nobody could see them. Since the 2019 version, they took it one step further and released 39 Android, iOS, and CTV apps doing much the same, but on devices that weren’t part of BADBOX. That’s what we call PEACHPIT. Below you can see when the PEACHPIT botnet peaked at more than 4 billion fraudulent bid requests a day. HUMAN worked with Google and Apple to disrupt the PEACHPIT operation. HUMAN has also shared information about the facilities at which some BADBOX-infected devices were created with law enforcement, including information about the organizations and individual threat actors believed to be responsible for the PEACHPIT operation.

Figure 1: PEACHPIT bid request volume over time

Figure 2: Number of devices PEACHPIT infected over time

PEACHPIT would spoof popular apps and route their own fraudulent traffic (from the malware-infected devices) through the apps. They would then sell those fake impressions through programmatic advertising. This complete loop of ad fraud means they were making money from the fake ad impressions on their own fraudulent, spoofed apps. And what makes matters worse is the level of obfuscation the operators went through to go undetected, a sign of their increased sophistication. 

Anyone can accidentally buy a BADBOX device online without ever knowing it was fake, plugging it in, and unknowingly opening this backdoor malware. This malware can be used to steal PII, run hidden bots, create residential proxy exit peers, steal cookies and one-time passwords, and more unique fraud schemes. While you’re firing up your device for the first time, the BADBOX operators are awakening one of their many soldiers - PEACHPIT. 

What we’re dealing with here is a wide-spread cybercrime organization using ad fraud as a funding mechanism for their operation. 

Modern Defense & the Future of Fraud

Of all of the forms of cybercrime, fraudsters targeting the $600 billion ad industry experience the lowest effort and risk, but the highest payout potential. The economic game is the reason we built our core business initially around protecting the programmatic advertising ecosystem. If we could cut into their profit-making machine, we can disrupt and even take down entire operations. 

The way we do that today - across all industries - is with modern defense strategy. And that’s what we used to disrupt PEACHPIT. It rests on three pillars: visibility, network effect, and disruptions and takedowns.

1. Our visibility is key to sniffing out fraud operations. We verify the humanity of more than 20 trillion digital interactions every week, that’s a whopping 80%of the programmatic advertising ecosystem. It is this level of visibility that allowed the Satori team to see what PEACHPIT was doing.
2. Network effect describes the collective protection efforts we deploy across our customers. We can make sure our entire network is protected by building defenses into the Human Defense Platform. Picture it like a wall being built around all of our customers at once - except the wall is pretty big when we’re talking about nearly an entire ecosystem.
3. Everyday our team is disrupting operations of all sizes to protect our customers. That’s why disruptions and takedowns are the third pillar.  HUMAN worked with Google and Apple to disrupt the PEACHPIT ad fraud operation and remove the affected apps from their respective stores. By disrupting PEACHPIT, we’ve made it a lot harder for BADBOX as a whole to be profitable. 

Ad fraud has become increasingly sophisticated, there’s no doubt about that. But it goes beyond ad fraud. We’ve stopped PEACHPIT, but BADBOX - a much bigger operation on its own - still has Triada malware on thousands of devices worldwide. Organized cybercrime has many avenues for revenue. That malware can steal your passwords, gain access to accounts, and wreak havoc that’ll only be realized when it’s too late. This isn’t just an advertising issue, it’s a cybersecurity issue. 

Our customers are protected from PEACHPIT due to our disruption of the botnet, but here are a few additional actionable first steps to safeguard your business from these types of attacks now and in the future.

• Sharing Supply Chain Object (SCO): Encourage clients to share detailed information about their supply chain, including third-party vendors and partners. This will help identify any potential weak links in the supply chain and enable proactive measures to secure the entire ecosystem.
• Updating ads.txt Files: Ads.txt is a standard that helps prevent unauthorized inventory sales in the programmatic advertising ecosystem. Recommend clients regularly review and update their ads.txt files to ensure they only authorize approved sellers, reducing the risk of ad fraud.
• Regular Software and Firmware Updates: Emphasize the importance of regularly updating software, firmware, and applications to patch known vulnerabilities and stay protected against the latest threats.
• Continuous Threat Intelligence: Recommend the use of threat intelligence services to stay informed about the evolving threat landscape and adapt defense strategies accordingly.

For consumers looking to do something, our biggest piece of advice is to not purchase unknown devices/hardware and place it on your network. Purchase legitimate hardware from verifiable sources to ensure that the device you are buying is real and free from fraud. 

The Human Collective and our customers have been incredible partners as we disrupted this operation. We’ve also shared this information with law enforcement. The Satori team continues to monitor the BADBOX empire and protect our customers across industries from their attacks. 

If you’re part of the programmatic advertising ecosystem and believe you’ve been impacted by fraud, please reach out to the HUMAN team today.