Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps

Jan 23, 2023Ravie LakshmananMobile Security / Malvertising

Researchers have shut down an “expansive” ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices.

“VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views,” fraud prevention firm HUMAN said.

The operation gets its name from the use of a DNS evasion technique called Fast Flux and VAST, a Digital Video Ad Serving Template that’s employed to serve ads to video players.

The sophisticated operation particularly exploited the restricted in-app environments that run ads on iOS to place bids for displaying ad banners. Should the auction be won, the hijacked ad slot is leveraged to inject rogue JavaScript that establishes contact with a remote server to retrieve the list of apps to be targeted.

The includes the bundle IDs that belong to legitimate apps so as to conduct what’s called as an app spoofing attack, in which a fraudulent app passes off as a highly-regarded app in an attempt to trick advertisers into bidding for the ad space.

The ultimate objective, per HUMAN, was to register views for as many as 25 video ads by layering them atop one another in a manner that’s completely invisible to the users and generates illicit revenue.

“It doesn’t stop with the stacked ads, though,” the company said. “For as many of those as might be rendering on a user’s device at once, they keep loading new ads until the ad slot with the malicious ad code is closed.”

“The actors behind the VASTFLUX scheme clearly have an intimate understanding of the digital advertising ecosystem,” it further added, stating the campaign also rendered an endless “playlist” of ads to defraud both the advertising companies and apps that show ads.

The takedown of VASTFLUX arrives three months after the disruption of Scylla, a fraud operation targeting advertising software development kits (SDKs) within 80 Android apps and 9 iOS apps published on the official storefronts.

VASTFLUX, which generated over 12 billion bid requests per day at its peak, is only the latest in a stretch of ad fraud botnets that have been shuttered in recent years, after 3ve, PARETO, and Methbot.