20% of ad clicks on average are frauds

On October 4, the blog www.humansecurity.com, the official blog of HUMAN - company dealing with online security, published an entry regarding Ad Fraud PEACHPIT, which was part of the BADBOX pattern of cybercriminal activities. According to HUMAN’s Satori Threat Analysis and Research Team, more than 74,000 Android-based mobile phones, tablets and CTV devices are affected worldwide. But that’s not all - Ad Fraud itself went beyond BADBOX’s, although it was initially an integral part of it, and at its peak, over 121,000 Android-based devices and 159,000 iOS devices were used per day to carry out the fraud, allowing it to display, in a way invisible to users, up to 4 billion ads in one day!

How does BADBOX work?

Before we take a closer look at how the Ad Fraud, called by specialists from HUMAN company- PEACHPIT was carried out, we need to understand how the BADBOX scheme itself worked. The cornerstone of the BADBOX empire was a China-based company that sold Android smartphones, tablets, and Connected TV (CTV) devices from lesser-known brands on popular online stores and resale sites for less than $50. Somewhere between the production line and reaching the end user, malware called Triada was secretly installed on these brand-new devices, which was silently waiting for the device to be turned on for the first time. The Triada malware scheme was discovered in 2016, and a few years later, cybercriminals behind BADBOX used it to install backdoors on devices and be able to remotely control the equipment. It works like that: when the device is turned on, Triad contacts the command-and-control server and adds the equipment to the Botnet managed by cybercriminals, creating something like a gateway enabling data transmission. From now on, the device is under the control of the creators of BADBOX and can be used for many frauds, including:

• advertising fraud (PEACHPIT),
• creating fake Gmail and WhatsApp accounts,
• theft of sensitive data,
• creating home proxy output servers,
• sale of access to home networks and IP addresses,
• remote installation of malicious code.

Interestingly, it is completely flexible (and that is why it is so dangerous) - if fraudsters come up with a new idea, all they need to do is provide the appropriate instructions to Triada, and it will infect the device.

The first case of purchasing a set-top box equipped with BADBOX was reported in January 2023 - the device (called the AllWinner T616 processor) used a ROM with Android 10. The case was investigated for many months - details about this criminal enterprise were first described by Trend Micro in May, and the HUMAN report was published in early October. According to researchers from HUMAN’s Satori Threat Analysis and Research Team, there are over 200 models of devices with pre-installed BADBOX malware. For research purposes, HUMAN also purchased several specific devices. As many as 80 percent of them were infected!

Ad Fraud bigger than BADBOX itself!

The instructions loaded on devices as part of the BADBOX campaign also included those regarding advertising fraud called PEACHPIT. They resulted in downloading fake applications that impersonated others and displayed advertisements in a way that was invisible to the user. Such applications, and there were apparently over 39 of them (for both the iOS and Android ecosystems), were also made available in both the Apple AppStore and the Google Play Store, thanks to which their fraudulent activities went beyond the scope of the BADBOX. In total, they were installed over 15 million times in 227 territories around the world, and the victims included both private individuals and public organizations. More than four billion ads were displayed daily on devices incorporated into the PEACHPIT botnet, generating huge profits for cybercriminals through programmatic advertising.

Ad Fraud was particularly difficult to detect because the traffic was supported by real accounts that looked as if they were created by humans, and both the devices and IP addresses from which the supposedly correct views came were also real. Additionally, the malware resides in the firmware partition and is extremely difficult to remove without the proper knowledge.

In a statement issued to Tom’s Guide by a Google spokesperson, it can be read that:

„The off-brand devices discovered to be BADBOX-infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results.Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”

The end of PEACHPIT doesn’t mean the end of BADBOX!

Human Security used its own MediaGuard solution and established cooperation with Apple and Google as part of activities aimed at stopping this advertising fraud. Finally, the applications enabling PEACHPIT were removed from popular application stores, but this doesn’t mean the end of BADBOX inself. Due to lack of adequate financing, the operators behind this fraud turned off their command-and-control servers, but probably only temporarily, to develop a model to bypass security measures and adapt to the new situation. It should be remembered that there are still plenty of devices infected with BADBOX and as soon as fraudsters come up with a new idea, they will be ready for use, and devices with a built-in BADBOX scheme are still widely available on the market and anyone can order them.