A botnet called PEACHPIT [1] [2] [5], associated with the Satori team [7], has been discovered to be using hundreds of thousands of Android and iOS devices to generate illegal profits [1] [5]. This botnet is part of a larger operation called BADBOX [1] [2] [3] [5], based in China [2] [9], which involves selling compromised mobile and connected TV devices on popular online platforms [1].


The PEACHPIT botnet’s associated apps were found in 227 countries and territories [2], with over 15 million installations leading to infections [2]. The infections were caused by 39 apps that were installed over 15 million times [5]. The malware on these devices enabled the operators to steal sensitive data [2], create proxy exit peers [3] [5], and commit ad fraud [2] [5]. PEACHPIT is a component introduced by C2 servers that creates hidden WebViews on infected devices [6]. These WebViews are used to request [6], render [2] [6] [8], and interact with ads [6], making them appear as if they come from different apps [6], devices [1] [2] [3] [4] [5] [6] [7] [8] [9], or websites [6]. It compromised 121,000 Android and 159,000 iOS devices [3] [4] [5] [6], generating 4 billion ad requests daily [4] [6]. The Android devices are suspected to have been compromised through a hardware supply chain attack [5]. The operators can also use the backdoored devices to create WhatsApp and Gmail accounts [5].

The criminal enterprise behind this botnet [2] [5], known as Lemon Group [2] [3] [5], was first documented by Trend Micro in May 2023 [5]. The ad fraud involves the use of counterfeit apps on popular app marketplaces [2] [3] [5], and the operation has been disrupted by working with Apple and Google [5]. An update has been pushed out to remove the modules powering PEACHPIT on infected devices [5], but there are concerns that the attackers are evolving their tactics to bypass defenses [2].

The Badbox campaign [7], which uses Triada malware [7], was first discovered in 2016 and primarily targets Android devices during the supply chain process in China [7]. Badbox-infected devices can steal personal information [7], create fake accounts [7] [9], and engage in other fraudulent activities [7]. Restoring the device to factory defaults does not remove the malware [7]. The backdoor malware has been found on public school networks in the US [7]. However, only Android devices were impacted by the Badbox backdoor [7]. Off-brand Android devices were found to be infected [7], while iOS devices were targeted solely through malicious apps [7].

Peachpit is an app-based fraud element that has been found on TV boxes [4], Android phones [2] [4] [8], and iPhones [4] [9]. The company identified 39 apps involved in this fraud [4], which included template-based applications related to fitness and health [4]. These apps engaged in fraudulent behavior such as hidden advertisements [4], spoofed web traffic [4], and malvertising [4]. Although the individuals behind Peachpit and Badbox appear to be different [4], there is evidence suggesting they may be working together [4].

The ads involved in Peachpit were making 4 billion ad requests per day [4], impacting 121,000 Android devices and 159,000 iOS devices [3] [4] [5]. The researchers estimate that there were 15 million downloads of the Android apps [4]. It is believed that those behind the scheme could have earned $2 million in one month alone [4].

Researchers from Human Security’s Satori Threat Intelligence and Research Team have discovered signs of an organized network of ad fraud behind 200 different models of Android TV boxes [9]. They analyzed seven Android TV boxes and one tablet and found backdoors installed in all of them [9]. The malware, known as BADBOX [1] [2] [9], is preloaded on Android TV devices made in China and is widely circulating in the market [9]. Once the devices are plugged in [9], the malware connects to a C2 server in China and carries out various malicious activities [9], including ad fraud [9], creating fake accounts [7] [9], selling access to home networks [9], and installing remote code [9]. Chinese criminals have been backdooring Android devices for ad fraud [8], with tens of thousands of knock-off Android products reaching consumers infected with malware [8]. The ad fraud network [8], known as “Badbox,” earned millions per month in an online advertising fraud scheme [8]. The hackers behind the scheme [8], called “Peachpit,” used an optional module in Badbox devices and also commanded independent apps in the Google and Apple app stores to offer fake inventory to ad display networks [8]. App store providers removed the Peachpit apps [8], and Badbox actors deleted malicious modules from infected devices [8]. However, Badbox devices still ping their command-and-control servers [8], indicating that threat actors likely have plans for the network of cheap Android bots they’ve spread globally [8]. The Badbox malware reaches devices through various means [8], including stealing Android gadgets and reinserting them into the supply chain with malicious code [8]. Human Security found evidence of at least 200 distinct Android device types infected with the backdoor [8]. The Triada malware [7] [8], a modular Android Trojan with root access [8], was found to be the variant of the backdoor [8]. Badbox devices act as proxies [8], create fake email and messaging accounts [8], and download the Peachpit ad fraud malware [8]. Peachpit exploits the Android browser-lite WebView function to render ads without displaying them to the user and spoofs ad metrics to appear as if the ads were displayed within certain apps or referred by certain websites [8]. Peachpit actors also offered apps on Android [8], iOS [1] [2] [3] [4] [5] [6] [7] [8], and streaming device app stores with a connection to a fake supply-side platform [8], allowing them to sell ad inventory that didn’t exist.


The discovery of the PEACHPIT botnet and its association with the larger BADBOX operation highlights the ongoing threat of illegal activities conducted through compromised mobile and connected TV devices. While efforts have been made to disrupt these operations [3], there are concerns that the attackers will continue to evolve their tactics to bypass defenses. The impact of these botnets is significant, with millions of devices infected and billions of ad requests generated daily. It is crucial for individuals and organizations to remain vigilant and take necessary precautions to protect their devices and networks.


[1] https://cyber.vumetric.com/security-news/2023/10/09/peachpit-massive-ad-fraud-botnet-powered-by-millions-of-hacked-android-and-ios/
[2] https://isp.page/news/new-ad-fraud-botnet-peachpit-exploits-android-and-ios-devices-to-generate-illicit-profits/
[3] https://cybersec84.wordpress.com/2023/10/09/peachpit-massive-ad-fraud-botnet-discovered-using-millions-of-hacked-android-and-ios-devices/
[4] https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/2/
[5] https://thehackernews.com/2023/10/peachpit-massive-ad-fraud-botnet.html
[6] https://displaydaily.com/non-brand-chinese-android-device-backdoor-attack-an-overview/
[7] https://www.msspalert.com/news/human-security-disrupts-supply-chain-android-attacks
[8] https://www.bankinfosecurity.com/chinese-criminals-backdoor-android-devices-for-ad-fraud-a-23261
[9] https://www.hackread.com/android-tv-boxes-backdoors-home-networks/