After hitting millions of iOS devices, massive ad fraud op was dismantled

Security researchers from cybersecurity firm HUMAN have disrupted a massive ad fraud operation called ‘Vastflux,’ which spoofed over 1,700 apps from 120 publishers. It was mainly for iOS.

Named after the VAST advertisement template and “fast flux” technique to hide malicious code, the operation was named. This technique allows you to quickly change a lot of DNS records and IP addresses associated with one domain.

According to HUMAN, Vastflux generated more than 12 billion bids per day during its peak, and impacted nearly 11 million iOS devices.

Vastflux details

HUMAN’s research team (Satori), discovered Vastflux as part of an investigation into a different ad-fraud scheme. The team noticed an app that generated unusually high numbers of requests by using various app IDs.

The Satori team reverse engineered the opaque JavaScript used in the app to discover the IP address of the Command and Control (C2) server it was communicating with, and the commands that it sent for generating ads.

The team created a massive malvertising scheme in which bad actors used JavaScript to inject into ads they made, then stack a bunch of video players on top, earning money for each ad, even though none were visible to anyone using it.

Vastflux received bids to display in-app ads banners. It placed the static banner image into Vastflux’s bid and then injected JavaScript.

Injectable scripts reached out to the C2 server in order to obtain an encrypted configuration payload. This included instructions about the location, size and type of ads that were to be displayed as well data to spoof real publisher and app IDs.

Vastflux placed up to 25 video advertisements on top of each other, all of which generated ad views revenue. However, none of these ads were visible to users as they were hidden behind active windows.

Rendering multiple invisible video ads


Vastflux avoided using ad verification tags to avoid detection. This allows marketers performance metrics. The scheme was invisible to third-party trackers of ad performance.

Vastflux takedown

After mapping the Vasstflux infrastructure, HUMAN initiated three waves of targeted actions between June 2022 and July 2022. These included customers, partners and the spoofed brand names. Each wave dealt a serious blow to fraudulent activity.

Vastflux eventually took the C2 servers off-line for a time and reduced its operation. On December 6th 2022 the ads bids dropped to zero.

Timeline of Vastflux’s takedown


Ad fraud is not malicious, but it can cause performance drops, increase the usage of internet data and even overheat the device.

These are signs that adware infection or fraud is present on the device. Users should be suspicious and attempt to identify the apps responsible for the majority of resource usage.

Video ads use more power than static ads. Hidden video players can be difficult to conceal from performance monitors. It’s important to keep an eye on all running processes to spot signs of trouble.