Ad fraud is a major issue in the digital advertising industry, costing businesses billions of dollars each year. Recently, a massive iOS ad fraud operation known as “Vastflux” was disrupted by security researchers at the cybersecurity company HUMAN. This operation was particularly noteworthy as it spoofed more than 1,700 applications from 120 publishers, mostly for iOS devices.

Vastflux was able to generate over 12 billion bid requests per day at its peak. It can impact almost 11 million devices, many in Apple’s iOS ecosystem. The operation’s name came from the VAST ad-serving template and the “fast flux” evasion technique. It can conceal malicious code by rapidly changing many IP addresses and DNS records associated with a single domain.

Vastflux investigation on iOS fraud

The research team at HUMAN (Satori) discovered Vastflux while investigating a separate iOS ad fraud scheme. They noticed that an app was generating an unusually large number of requests using different app IDs. By reverse engineering the obfuscated JavaScript that operated in the app, the Satori team discovered the command and control (C2) server IP address. It was communicating with and the ad-generating commands it sent.

Vastflux generated bids for displaying in-app ad banners. If it won, it placed a static banner image and injected obfuscated JavaScript into it. The injected scripts contacted the C2 server to receive an encrypted configuration payload. It includes instructions on the position, size, and type of ads & data for spoofing real app and publisher IDs. Vastflux stacked up to 25 video ads on top of one another. All these generate ad view revenue. But none of them was visible to the user as they were rendered behind the active window.

What mapping reveals?

To evade detection, Vastflux omitted the use of ad verification tags, which allows marketers to generate performance metrics. By avoiding these, the scheme was made invisible to most third-party ad-performance trackers.

Having mapped the infrastructure for the Vasstflux operation, HUMAN launched three waves of targeted action between June and July 2022. It involves customers, partners, and spoofed brands, each delivering a blow to the fraudulent activity. Eventually, Vastflux took its C2 servers offline for a while and scaled down its operations. On December 6, 2022, the ad bids went down to zero for the first time.

Financial losses

Ad fraud not only causes financial losses for businesses, but it can also have a negative impact on the user experience. Ad fraud can cause performance drops for devices, increase the use of battery and internet data, and even lead to device overheating. These are common signs of adware infections or ad fraud on a device, and users should be aware of these signs and try to pinpoint the app(s) that are causing the issue. Video ads consume much more power than static ads, and multiple hidden video players can be difficult to detect with performance monitors. Therefore, it’s crucial for users to always keep an eye on running processes and look for signs of trouble.

In conclusion, the Vastflux ad fraud operation was a significant threat to the digital advertising industry, spoofing over 1,700 applications and impacting almost 11 million devices. The efforts of HUMAN’s research team were able to disrupt this operation and bring an end to its fraudulent activity. Ad fraud not only causes financial losses for businesses, but it can also negatively impact the user experience. It is important for both businesses and users to be aware of the signs of ad fraud and take steps to protect themselves from it.