HUMAN Disrupts Digital Supply Chain Threat Actor Scheme Originating from China
Scheme and several related sophisticated cybercriminal operations featured backdoored off-brand mobile and connected TV (CTV) Android devices available from reputable e-commerce sites that also involved ad fraud requests in 227 countries and territories
HUMAN Security, Inc., the global leader in protecting enterprises with modern defense by disrupting bot attacks, digital fraud and abuse, today announced it has disrupted a key monetization mechanism of a sophisticated series of cybercriminal operations involving backdoored off-brand mobile and CTV Android devices, sold to end users through major retailers originating from repackaging factories in China. HUMAN’s Satori Threat Intelligence and Research Team observed more than 74,000 Android-based mobile phones, tablets, and CTV boxes showing signs of infection.
Dubbed BADBOX by HUMAN Security, the scheme utilizes Triada malware, first uncovered in 2016, as a “backdoor” on physical devices such as CTV boxes, smartphones, and tablets running Android during the supply chain process in China. BADBOX-infected devices are able to steal personally identifiable information, establish residential proxy exit peers, steal one-time passwords, create fake messaging and email accounts, and other unique fraud schemes.
BADBOX-infected devices are fundamentally unfixable by the average user as the malware used to deploy the backdoor connects with a command-and-control server on booting up for the first time, even after restoring the device to factory defaults. Products known to contain the backdoor have been found on public school networks throughout the U.S.
“The BADBOX scheme is an incredibly sophisticated operation, and it demonstrates how criminals use distributed supply chains to amplify their schemes on unsuspecting consumers who purchase devices from trusted e-commerce platforms and retailers,” said Gavin Reid, CISO of HUMAN. “This backdoor operation is deceptive and dangerous because it is nearly impossible for users to tell if their devices are compromised. Of the devices HUMAN acquired from online retailers, 80 percent were infected with BADBOX, which demonstrates how broadly they were circulating on the market.”
In November 2022, HUMAN’s Satori Threat Intelligence and Research Team uncovered an “ad fraud module” of BADBOX, hiding ads where users couldn’t see them and faking clicks on those ads to defraud the advertisers and advertising technology ecosystem. In addition to the BADBOX ad fraud module, the Satori team also found a group of Android, iOS, and CTV apps committing similar fraud, independent of the backdoored BADBOX devices. These apps, dubbed PEACHPIT by the Satori team, accounted for an average of four billion ad requests a day. At its peak, PEACHPIT-associated apps appeared on 121,000 Android devices and 159,000 iOS devices in 227 countries and territories. The collection of 39 Android, iOS, and CTV-centric apps impacted by the scheme were installed more than 15 million times before the apps were taken down. No iOS devices were themselves impacted by the BADBOX backdoor; they were targeted only by the PEACHPIT ad fraud attack through malicious apps. The off-brand devices discovered to be infected were not Play Protect certified Android devices.
HUMAN worked with Google and Apple to disrupt the PEACHPIT operation. HUMAN has also shared information about the facilities at which some BADBOX-infected devices were created with law enforcement, including information about the organizations and individual threat actors believed to be responsible for the PEACHPIT operation.
“The cybercriminals behind PEACHPIT utilized methods such as hidden advertisements, spoofed web traffic, and malvertising to monetize their scheme and defraud the advertising industry,” said Marion Habiby, Data Scientist at HUMAN. “Cybercriminals always follow the money, and our goal at HUMAN is to raise the cost to attackers while lowering the cost to defenders, shorten the window of opportunity for any given threat actor and disrupt the economics of cybercrime.”
Read More: SalesTechStar Interview with Shawn Conahan, Chief Revenue Officer at Wildfire Systems
HUMAN’s MediaGuard safeguards HUMAN clients, partners and customers from the PEACHPIT botnet from attacking the programmatic advertising ecosystem, severely cutting into the profits of BADBOX as a whole. HUMAN partnered with members of the Human Collective and its extended network and others to achieve a widespread disruption of the PEACHPIT scheme.
The BADBOX operation comes eight months after HUMAN’s Satori Threat Intelligence and Research Team announced the takedown of the VASTFLUX ad fraud operation, which resulted in more than 1,700 spoofed apps, targeting 120 publishers, running ads within apps on nearly 11 million devices, and reaching a peak volume of 12 billion ad requests a day.