X

This sneaky ad scam affected over 11 million devices

Security image 83984398439
Advertisement

Security researchers have discovered a new “highly sophisticated” advertising scam affecting more than 11 million devices globally. Dubbed Vastflux, the brains behind this ad fraud spoofed over 1,700 apps and defrauded at least 120 ad publishers. The attack abused programmatic advertising, which is essentially automated online advertising.

Vastflux abused programmatic advertising in mobile devices

Every time you open an ad-supported app or website, you see several ads throughout it. But what you don’t see is the companies jostling for that ad space. It all happens behind the scenes. The ads that surface on the screen are selected through a series of automated instant auctions known as programmatic advertising. Ad publishers pay for each advertising slot they get in an app or website.

The creators of Vastflux abused this process in mobile apps (particularly iOS but a few Android apps too) to carry out the scam. At first, they would legitimately try to buy an advertising slot in a popular app. Once they win the auction for an ad, the attackers would insert malicious JavaScript code into that ad (via). This enabled them to stealthily stack up to 25 video ads on top of each other in the same advertising slot. While users would only see one ad on their phone, Vastflux would register 25 views and get paid for each of those.

Advertisement

Since 25 ad requests from the same device at the same time would raise suspicions, the attackers spoofed the advertising details of 1,700 apps. This helped them make it look like the ad requests are coming from separate devices, i. e. from 25 different advertising slots. But in reality, they only purchased one ad slot and stacked multiple videos on it to defraud publishers. Vastflux also used several other tactics to avoid detection, such as the modification of ad tags.

At its peak in June last year, Vastflux made 12 billion ad requests per day. Since users only see one ad, they are highly unlikely to be suspicious about it. Their phones would consume more power and processor resources while using the affected apps as the devices have to process multiple videos simultaneously, but users would blame the app itself more than anything else. On top of this, the attack stops as soon as the ad disappears. This makes detection further difficult.

Researchers have disbanded this ad scam

Overall, Vastflux affected more than 11 million Android and iOS devices. Its creators may have made a sizable fortune by defrauding ad publishers with this scam. Researchers at Human Security discovered the scam in June last year and worked with its partners to disrupt the attack. After multiple disruptions, Vastflux creators took down the servers last month. But the same criminals reportedly ran advertising fraud in the past as well. So there’s every chance they would return with new tactics.

Advertisement

“Orchestrating a private takedown of this magnitude and severity is no small feat, and I want to take a moment to thank all involved, including the Human Satori Threat Intelligence and Research Team, the team at clean.io, and the industry leaders who make up The Human Collective who are dedicated to making the programmatic ecosystem safe and human,” said Gavin Reid, CISO (chief information security officer) at Human Security.