Security researchers from cybersecurity firm HUMAN have disrupted a massive ad fraud operation called ‘Vastflux,’ which spoofed over 1,700 apps from 120 publishers. It was mainly for iOS.
Named after the VAST advertisement template and “fast flux” technique to hide malicious code, the operation was named. This technique allows you to quickly change a lot of DNS records and IP addresses associated with one domain.
According to HUMAN, Vastflux generated more than 12 billion bids per day during its peak, and impacted nearly 11 million iOS devices.
HUMAN’s research team (Satori), discovered Vastflux as part of an investigation into a different ad-fraud scheme. The team noticed an app that generated unusually high numbers of requests by using various app IDs.
Injectable scripts reached out to the C2 server in order to obtain an encrypted configuration payload. This included instructions about the location, size and type of ads that were to be displayed as well data to spoof real publisher and app IDs.
Vastflux placed up to 25 video advertisements on top of each other, all of which generated ad views revenue. However, none of these ads were visible to users as they were hidden behind active windows.
Vastflux avoided using ad verification tags to avoid detection. This allows marketers performance metrics. The scheme was invisible to third-party trackers of ad performance.
After mapping the Vasstflux infrastructure, HUMAN initiated three waves of targeted actions between June 2022 and July 2022. These included customers, partners and the spoofed brand names. Each wave dealt a serious blow to fraudulent activity.
Vastflux eventually took the C2 servers off-line for a time and reduced its operation. On December 6th 2022 the ads bids dropped to zero.
Ad fraud is not malicious, but it can cause performance drops, increase the usage of internet data and even overheat the device.
These are signs that adware infection or fraud is present on the device. Users should be suspicious and attempt to identify the apps responsible for the majority of resource usage.
Video ads use more power than static ads. Hidden video players can be difficult to conceal from performance monitors. It’s important to keep an eye on all running processes to spot signs of trouble.