A vast ad fraud botnet has been uncovered that involved thousands of cheap Android-based mobile phones, tablets, and TV boxes infected with the Triada backdoor.

The goal of the operation dubbed “Peachpit” was to install malicious apps on the infected devices that would display unwanted ads, according to Human Security’s Satori Threat Intelligence and Research Team.

“The Peachpit botnet’s conglomerate of associated apps were found in 227 countries and territories, with an estimated peak of 121,000 devices a day on Android and 159,000 devices a day on iOS,” the team noted in a technical report.

The researchers said the botnet was operated by a China-linked cybercrime syndicate known as “Badbox.” The team has observed at least 74,000 mobile phones, tablets, and TV boxes running Android infected with the backdoor. The malware is being installed during the supply chain process and then infected devices are sold on popular online retailers and resale sites.

The backdoor allows the attackers to inject additional modules into device memory, enabling them to conduct various actions such as multiple varieties of ad fraud, establish residential proxy exit nodes, create fake Gmail and WhatsApp accounts, and remotely execute code.

No iOS devices themselves were impacted by the Badbox backdoor, they were only targeted by the Peachpit ad fraud campaign via malicious apps.

Unfortunately, impacted devices can’t be recovered, since the malware is located on a readonly (ROM) partition of the device firmware and the average user won’t be able to remove Badbox from their device.

As Badbox affects cheap “offbrand” devices, the researchers advise that users stick to familiar brands when choosing new devices.