Security researchers at Human Security recently uncovered a widespread attack on the online advertising ecosystem that has impacted millions of people and defrauded hundreds of companies. Dubbed Vastflux, the attack was discovered by researchers at Human Security, a firm focusing on fraud and bot activity. The attack impacted 11 million phones, with the attackers spoofing 1,700 app and targeting 120 publishers. At its peak, the attackers were making 12 billion requests for ads per day.
Marion Habiby, a data scientist at Human Security and the lead researcher on the case, describes the attack as both one of the most sophisticated the company has seen and the largest. “It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible,” Habiby says.
The attackers behind Vastflux targeted popular apps and tried to buy an advertising slot within them. Once they won the auction for an ad, they inserted malicious JavaScript code into that ad to stealthily allow multiple video ads to be stacked on top of each other. This means that when a phone was displaying an ad within an affected app, there would actually be up to 25 ads placed on top of each other. The attackers would get paid for each ad, and you would only see one ad on your phone. However, your phone battery would drain faster than usual as it processed all the fraudulent ads.
The scale of this was colossal: In June 2022, at the peak of the group’s activity, it made 12 billion ad requests per day. Human Security says the attack primarily impacted iOS devices, although Android phones were also hit. In total, the fraud is estimated to have involved 11 million devices. There is little device owners could have done about the attack, as legitimate apps and advertising processes were impacted.
Google and Apple have both taken action against the Vastflux attack, but it’s clear that online advertising is a complex and often murky business that’s ripe for abuse. For phone owners, batteries dying quickly, large jumps in data use, or screens turning on at random times could be signs a device is being impacted by ad fraud. The next time you open an app or website, remember that there’s a flurry of invisible processes taking place behind the scenes, and not all of them are on the up and up.
