In short: Researchers at the security company Human Security recently uncovered one of the largest and most sophisticated attacks on mobile ads they’ve ever seen. The well-planned campaign, dubbed Vastflux, affected millions of phones and scammed hundreds of ad companies and app developers, and its operators likely made a ton of money.
Wastflux was first discovered by Human Security last year while working on a separate threat. It worked by targeting one ad slot rather than the entire user’s phone or the entire app. Once the group won ad space in an advertiser’s auction, they inserted malicious code that allowed multiple video ads to be stacked on top of each other.
The end user will only see one video ad, but behind the scenes, the attacker was actually feeding them up to 25 video ads stacked on top of each other. They were paid for each ad as if they were shown individually, and the group spoofed data from hundreds of apps to make it look like there were multiple apps involved in the campaign. In addition, the attack allowed only certain tags to be attached in order to remain undetected. Several domains have also been used to launch attacks.
From the end user’s point of view, the only hint that something was wrong was the faster battery drain as your phone was processing all the fraudulent ads in the background.
Human Security has yet to name the group behind the attack or say how much they potentially made from the scheme, but it’s likely a hefty sum. At its peak in June 2022, the attack was making 12 billion ad requests daily. Vastflux was primarily targeted at iOS devices, but some Android phones have been affected as well. In total, it is believed that about 11 million devices were affected.
Last summer, the security firm and its partners went on the offensive with a series of mitigation measures. By December, the group behind the campaign shut down their servers and has remained silent ever since.
Image credit: Tim Miroshnichenko