Security researchers have uncovered a vast ad fraud operation targeting advertising, primarily on iOS devices.
Dubbed “Vastflux,” it impacted over 11 million mainly Apple devices and at one point accounted for 12 billion fraudulent bid requests, according to security vendor Human’s Satori Threat Intelligence and Research Team.
The group discovered the scheme after observing unusual web traffic patterns related to a popular mobile app. It explained that advertising fraudsters favor mobile app ads as they pass less information to verification providers – meaning illicit schemes could last longer before being spotted.
Vastflux bid to display in-app banner ads. If it won, it injected malicious JavaScript into the underlying code, which stacked multiple video ads beneath the one displayed, all generating cash for its operators.
The JavaScript also worked to spoof the size of ads and the publisher and app IDs in order to mask its activity. An estimated 1700 apps and 120 publishers were spoofed in this way.
“Vastflux was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views,” explained Human.
“The fraudsters behind the Vastflux operation have an intimate understanding of the digital advertising ecosystem; they evaded ad verification tags, making it harder for this scheme to be found.”
Human said it teamed up with industry partners to launch three waves of action against the operators of the Vastflux scheme, helping to reduce bid requests to virtually zero by December 2022.
Ad fraud of this sort can degrade device battery life, crash impacted apps and slow performance down for users, the report claimed.