Researchers have uncovered a huge network of fake apps running fake ads, especially on iOS devices.
The process was named “Vastflux” in reference to its use of the video ad serving model specification, as well as fast-flux technology to change blocks of IP addresses and DNS records to hide malicious code inside fake apps.
The HUMAN cybersecurity team discovered Vastflux while investigating another ad fraud network, and found that it generated more than 12 billion bid requests per day and affected more than 11 million devices, most of which were iOS.
Researchers were notified of the campaign when they found an app that was using multiple app identifiers to generate an unhealthy amount of requests.
From here, the researchers uncovered the entire network, which included nearly 2,000 fake apps. As they explain, the false ads in these bad apps “stack a whole bunch of video players on top of each other, and all ads are paid for when none of them are visible to the person using the device.”
The scheme also did not use ad verification tags, which are needed to display performance metrics, to avoid detection from ad performance trackers.
HUMAN, with the help of impersonated customers and brands, launched a series of targeted attacks on Vastflux between June and July 2022. The C2 servers then went down after a while as their operations ceased, until all bids reached zero in December 2022.
Although the campaign did not seem to have a significant security impact on the affected devices, it did cause performance issues, battery drain and overheating in some cases.
These are typical signs of infection, so pay attention if a notification like this arrives on your device. Although you cannot monitor the usage of performance-related devices like CPU and RAM on your iPhone natively, there are third-party apps that can. You can also view battery usage on iOS under device settings, which may indicate suspicious apps.