“It’s quite genius because the minute the ad disappears, your attack stops, which means that you’re not going to be found easily,” Habiby explains.
The scale of this was colossal: In June 2022, at the peak of the group’s activity, it made 12 billion ad requests per day. Human Security says the attack primarily impacted iOS devices, although Android phones were also hit. In total, the fraud is estimated to have involved 11 million devices. There is little device owners could have done about the attack, as legitimate apps and advertising processes were impacted.
Google spokesperson Michael Aciman says the company has strict policies against “invalid traffic” and there was limited Vastflux “exposure” on its networks. “Our team thoroughly evaluated the report’s findings and took prompt enforcement action,” Aciman says. Apple did not respond to WIRED’s request for comment.
Mobile ad fraud can take many different forms. This can range, as with Vastflux, from types of ad stacking and phone farms to click farms and SDK spoofing. For phone owners, batteries dying quickly, large jumps in data use, or screens turning on at random times could be signs a device is being impacted by ad fraud. In November 2018, the FBI’s biggest ad fraud investigation charged eight men with running two notorious ad fraud schemes. (Human Security and other technology companies were involved in the investigation.) And in 2020, Uber won an ad fraud lawsuit after a company it hired to get more people to install its app did so through “click flooding.”
In the case of Vastflux, the biggest impact of the attack was arguably on those involved in the sprawling advertising industry itself. The fraud affected both advertising companies and apps that show ads. “They were trying to defraud all these different groups along the supply chain, with different tactics against very different ones,” says Zach Edwards, a senior manager of threat insights at Human Security.
To avoid being detected—up to 25 simultaneous ad requests from one phone would look suspicious—the group used multiple tactics. They spoofed the advertising details of 1,700 apps, making it look like lots of different apps were involved in showing the ads, when only one was being used. Vastflux also modified its ads to only allow certain tags to be attached to adverts, helping it avoid detection.
Matthew Katz, head of marketplace quality at FreeWheel, a Comcast-owned ad tech company that was partly involved in the investigation, says attackers in the space are becoming increasingly sophisticated. “Vastflux was an especially complicated scheme,” Katz says.
The attack involved some significant infrastructure and planning, the researchers say. Edwards says Vastflux used multiple domains to launch its attack. The name Vastflux is based on “fast flux”—an attack type hackers use that involves linking multiple IP addresses to one domain name—and VAST, a template for video advertising, developed by a working group within the Interactive Advertising Bureau (IAB), that was abused in the attack. (Shailley Singh, executive vice president, product and chief operating officer at IAB Tech Lab, says using the VAST 4 version of its template can help prevent attacks like Vastflux, and other technical measures from publishers and ad networks would help reduce its effectiveness.) “It’s not the very simple kind of fraud scheme that we see all the time,” Habiby says.