Is Your Battery Getting Drained Faster? It Could be Caused by Ad Fraud That Hit 11 Million Devices

An advertising scandal that pushed fake apps into millions of phones

In a shocking revelation, researchers uncovered a widespread ad fraud scheme called "Vastflux" that affected approximately 11 million phones. This sophisticated attack, discovered by Human Security, involved 1,700 spoofed apps, that targeted 120 publishers, and generated a staggering 12 billion false ad requests per day.

An invisible battle behind the scenes

Every time you open an app or visit a website, a behind-the-scenes war takes place among advertising companies vying for your attention. These companies engage in automated advertising, where instant auctions decide which ads you see. This industry is enormous, with a whopping $418 billion spent on programmatic advertising last year. However, it's also highly susceptible to abuse.

Vastflux: How a colossal attack was unleashed

The Vastflux attack was discovered by Human Security researcher Vikas Parthasarathy in the summer of 2022 while investigating another threat. Marion Habiby, a data scientist at Human Security and the lead researcher on the case, emphasizes that the attack was both the largest and most sophisticated the company has encountered. The attackers meticulously evaded detection, targeting popular apps and inserting malicious JavaScript code into ad slots to stack multiple video ads on top of each other.

Cloak-and-dagger approach

The fraudsters stealthily overloaded an ad slot within affected apps, and even if phone users saw only one ad, up to 25 ads were stacked on top of each other, with the attackers being paid for each ad. This technique also drained phone batteries faster than usual, and as soon as the ad disappeared, the attack stopped, making the scam hard to detect.

At its zenith in June 2022, Vastflux inundated the advertising ecosystem with an astounding 12 billion ad requests daily. It primarily affected iOS devices but also extended to Android phones. Unfortunately, device owners had limited means to thwart the attack, as legitimate apps and advertising processes were compromised.

Industry response and ongoing investigations

Human Security and its partners actively fought back against Vastflux in June and July 2022, leading to a significant drop in the number of ad requests from the attack. In December of that year, the attackers behind the scheme pulled down their servers, and no further activity has been detected since then. Identifying and disrupting the bad actors is essential, and experts emphasize that tackling cybercriminals' profitability is a key step in winning the battle against such massive ad fraud schemes.

Zach Edwards, a senior manager of threat insights at Human Security, notes that attackers in this space are becoming increasingly sophisticated. They use various tactics, including spoofing advertising details, modifying ads, and employing multiple domains to launch attacks. While the Vastflux attack was exceptional, experts argue that industry collaboration and technical measures can help reduce the effectiveness of such attacks.

The ongoing battle against ad fraud

The investigation into Vastflux continues, with ongoing efforts to uncover the identity of the perpetrators and understand the full extent of their profits. The ad fraud scheme is just one example of the evolving threats in the advertising industry, and combating it requires a multi-faceted approach. By cutting off attackers' sources of income, the industry aims to deter future fraudsters and protect users as well as legitimate advertisers.