“It’s pretty neat because the moment the ad disappears, your attack stops, which means you won’t be easily spotted,” Habiby explained.
The scale is enormous: In June 2022, at the height of the group’s activity, it was making 12 billion ad requests per day. Human Security said the attack primarily affected iOS devices, but Android phones were also hit. In total, an estimated 11 million devices were involved in the fraud. Device owners were left with little defense against the attack as legitimate applications and advertising processes were compromised.
Google spokesman Michael Aciman said the company had strict policies against “invalid traffic” and that Vastflux had limited “visibility” on its network. “Our team thoroughly evaluated the reported findings and swift enforcement action was taken,” Aciman said. Apple did not respond to WIRED’s request for comment.
Mobile ad fraud can take many different forms. Like Vastflux, this ranges from types of ad stacking and phone farms to click farms and SDK spoofing. For mobile phone users, a rapidly draining battery, a large increase in data usage, or a screen that turns on randomly can be signs that a device is being affected by ad fraud. In November 2018, the FBI’s largest ad fraud investigation charged eight men with two notorious ad fraud schemes. (Human Security and other tech companies participated in the investigation.) In 2020, Uber won an ad fraud lawsuit by hiring a company to “click flood” more people to install its app.
In Vastflux’s case, the biggest impact of the attack was arguably on those involved in the vast advertising industry itself. The fraud affects advertising companies and apps that display ads. “They’re trying to dupe all these different groups in the supply chain with different tactics against very different groups,” said Zach Edwards, senior manager of threat insights at Human Security.
To avoid detection (a phone making as many as 25 simultaneous ad requests would look suspicious), the team used a variety of tactics. They faked the ad details for 1,700 apps to make it appear that many different apps were involved to display the ad, when in fact only one app was being used. Vastflux also modified its ads to only allow certain tags to be attached to them, helping it avoid detection.
Attackers in this space are becoming more sophisticated, said Matthew Katz, director of market quality at FreeWheel, an advertising technology company owned by Comcast, which participated in some of the surveys. “Vastflux is a particularly complex solution,” Katz said.
The attack involved some critical infrastructure and planning, the researchers said. Edwards said Vastflux used multiple domains to launch its attacks. The name Vastflux is based on “fast flux” — a type of attack used by hackers that involves linking multiple IP addresses to a single domain name — and VAST, a video ad template that was abused in the attack. (The Interactive Advertising Bureau, which is behind the VAST template, did not respond to a request for comment at the time of publication.) “It’s not a very simple fraudulent scheme that we’ve been seeing,” Habiby said.