A Sneaky Advertising Scam Infiltrated Eleven Million Mobile Devices

Vastflux is one of the largest ad frauds ever discovered, with approximately 1,700 spoofed apps, 120 targeted publishers, and 12 billion false ad requests daily.

EACH TIME YOU OPEN AN APPLICATION OR WEBSITE, a flurry of unseen processes occurs without your knowledge. Behind the scenes, dozens of advertising firms are vying for your attention: they want their advertisements to reach your eyes. A series of instant auctions frequently determine which advertisements you see for each ad. This automated advertising, commonly referred to as programmatic advertising, was worth $418 billion last year. But it is also susceptible to abuse.

Today, security researchers disclosed a new widespread attack on the online advertising ecosystem that has affected millions of people, defrauded hundreds of businesses, and may have yielded its perpetrator’s substantial profits. The attack, dubbed Vastflux, was discovered by Human Security researchers, a company that investigates fraud and bot activity. The attackers spoofed 1,700 apps and targeted 120 publishers compromising 11 million mobile devices. At their peak, the attackers made 12 billion requests for advertisements per day.

Marion Habiby, a data scientist at Human Security and the case’s lead researcher, explains, “When I first received the results for the volume of the attack, I had to run the numbers multiple times.” Habiby describes the attack as one of the most sophisticated and the largest the company has ever witnessed. “It is evident that the bad actors were well-organized and went to great lengths to avoid detection, ensuring that the attack would last as long as possible to generate as much profit as possible,” Habiby explains.

The business of online and mobile advertising is complex and frequently murky. However, it generates enormous profits for those involved. Every day, billions of ads are placed on websites and in apps. Advertisers or ad networks pay to have their ads displayed and earn money when people click on or view them.

In the summer of 2022, Human Security researcher Vikas Parthasarathy discovered Vastflux while investigating a different threat. According to Habiby, the operation of the fraud required multiple steps, and the perpetrators took a variety of precautions to avoid being discovered.

First, the group responsible for the attack — which Human Security has not identified due to ongoing investigations — would target popular apps and attempt to purchase ad space within them.

“They were only going through one ad slot,” Habiby explains. “They were not attempting to take over an entire phone or app.”

Once Vastflux won an auction for an ad, the group would insert malicious JavaScript code into the ad to covertly stack multiple video ads.

Simply put, the attackers were able to hijack the advertising system so that when a phone displayed an ad within an affected app, it displayed up to 25 ads on top of one another. Each advertisement would pay the attackers, and you would only see one advertisement on your phone. However, your phone’s battery would deplete more quickly than usual as it processed all the fraudulent advertisements.

“It’s quite brilliant because as soon as the advertisement disappears, your attack ceases, which means you won’t be found easily,” Habiby explains.

In June 2022, at the group’s peak of activity, 12 billion ad requests were made per day. According to Human Security, the attack primarily affected iOS devices, but Android phones were also affected. The fraud is estimated to have affected 11 million devices in total. Legitimate apps and advertising processes were compromised, leaving device owners with little recourse against the attack.

Michael Aciman, a spokesperson for Google, states that the company has strict policies against “invalid traffic” and that there was limited “exposure” of Vastflux on its networks. Aciman says, “Our team thoroughly evaluated the report’s findings and took swift enforcement action.” Apple did not respond to WIRED’s request for comment.

Mobile advertising fraud can take on a variety of forms. This can range from ad stacking and phone farms to click farms and SDK spoofing, as with Vastflux. The rapid depletion of a phone’s battery, large spikes in data usage, or the random activation of its screen could be indicators of ad fraud. In November 2018, the FBI’s largest ad fraud investigation resulted in the indictment of eight men for operating two infamous ad fraud schemes. (Human Security and additional technology firms participated in the investigation.) And in 2020, Uber won a lawsuit alleging ad fraud after a company it hired to increase app installation used “click flooding.”

In the case of Vastflux, the attack likely had the greatest effect on those involved in the vast advertising industry. The fraud affected both advertising firms and apps that display advertisements.

Human Security’s senior manager of threat insights, Zach Edwards, explains, “They attempted to defraud all of these distinct parties along the supply chain by employing a variety of techniques against each.”

Multiple strategies were employed by the group to avoid detection; up to 25 simultaneous ad requests from a single phone would have appeared suspicious. They spoofed the advertising details of 1,700 apps, making it appear as though many apps were involved in displaying the ads when, in reality, only one app was used. Additionally, Vastflux modified its advertisements to only allow certain tags to be attached to advertisements, thereby evading detection.

Matthew Katz, head of marketplace quality at FreeWheel, a Comcast-owned ad tech company that was partially involved in the investigation, asserts that the sophistication of attackers in the space is growing. Katz states that Vastflux was an especially complex scheme.

According to researchers, the attack involved significant infrastructure and planning. According to Edwards, Vastflux utilized multiple domains to launch its attack. The name Vastflux is derived from “fast flux,” a hacker attack type involving the linking of multiple IP addresses to a single domain name, and VAST, a template for video advertising developed by a working group of the Interactive Advertising Bureau (IAB) and abused in the attack. (According to Shailley Singh, executive vice president, product, and chief operating officer at IAB Tech Lab, using the VAST 4 version of its template can help prevent attacks such as Vastflux, and additional technical measures from publishers and ad networks would help reduce its effectiveness.) Habiby explains, “It’s not the typical type of straightforward fraud scheme.”

Due to ongoing investigations, the researchers refused to disclose who may be behind the Vastflux or how much money they may have made. However, they claim to have witnessed the same criminals committing advertising fraud as early as 2020. In that instance, the ad fraud scheme allegedly targeted US swing states and collected user information.

At least for the time being, Vastflux has been halted. Human Security and several companies with which it has partnered to combat ad fraud began actively combating the group and the attack in June of last year. In June and July 2022, three separate disruptions of Vastflux reduced the number of daily ad requests from the attack to less than one billion. The company stated in a blog post, “We identified the bad actors behind the operation and worked closely with the abused organizations to mitigate the fraud.”

Since December, when the servers were taken offline by the attackers, Human Security has not observed any activity from the group. Tamer Hassan, the chief executive officer of the company, asserts that there are multiple actions individuals can take against criminals, some of which may result in law enforcement action. However, money is important. Stopping attackers from making a profit will reduce the number of attacks. “We defeat cybercriminals as an industry by winning the economic game,” Hassan says.

Why Trust Us?

Best Top Reviews Online was established in 2018 to provide our readers with detailed, truthful, and impartial advice on what to buy. We now have millions of monthly users from all over the world and annually evaluate over a thousand products.

The above article was written by the BestTopReviewsOnline team, which consists of some of the most knowledgeable technical experts in the United States. Our team consists of highly regarded writers with vast experience in smartphones, computer components, technology apps, security, and photography, among other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.