Researchers have uncovered a huge network of fake apps running fake ads, especially on iOS devices.
The process was named “Vastflux” in reference to its use of the video ad serving model specification, as well as fast-flux technology to change blocks of IP addresses and DNS records to hide malicious code inside fake apps.
The HUMAN cybersecurity team discovered Vastflux while investigating another ad fraud network, and found that it generated more than 12 billion bid requests per day and affected more than 11 million devices, most of which were iOS.
hidden videos
Researchers were notified of the campaign when they found an app that was using multiple app identifiers to generate an unhealthy amount of requests.
After reverse engineering the obfuscated JavaScript code, they found the upstream server the app was in contact with and to which the app sent the ad generation commands.
From here, the researchers uncovered the entire network, which included nearly 2,000 fake apps. As they explain, the false ads in these bad apps “stack a whole bunch of video players on top of each other, and all ads are paid for when none of them are visible to the person using the device.”
When your bids to display ad banners are won, Vastflux will inject hidden JavaScript code into them. This would get the C2 server the data needed to make the fake ad. Up to 25 videos will play simultaneously, but they will remain invisible to the user as they will be displayed behind the active window.
The scheme also did not use ad verification tags, which are needed to display performance metrics, to avoid detection from ad performance trackers.
HUMAN, with the help of impersonated customers and brands, launched a series of targeted attacks on Vastflux between June and July 2022. The C2 servers then went down after a while as their operations ceased, until all bids reached zero in December 2022.
Although the campaign did not seem to have a significant security impact on the affected devices, it did cause performance issues, battery drain and overheating in some cases.
These are typical signs of infection, so pay attention if a notification like this arrives on your device. Although you cannot monitor the usage of performance-related devices like CPU and RAM on your iPhone natively, there are third-party apps that can. You can also view battery usage on iOS under device settings, which may indicate suspicious apps.