HUMAN Researchers Take Down A Giant Ad Fraud Campaign Affecting Millions Of iOS Devices
The researchers discovered this fraud campaign while analyzing the network traffic going to and from an iOS device running a single app. Despite the fact that a single app was active on the device, the team observed dozens of advertising bid requests with different app identification numbers. Upon investigating this unexpected phenomenon, the researchers found that the app in question was displaying a malicious banner ad.
This ad injected scripts that created a video ad player behind the banner ad and reached out to a command-and-control (C2) server controlled by the fraudsters. The C2 server transmitted additional instructions, which were obfuscated to avoid detection. Once decrypted and reassembled, these instructions listed spoofed IDs for legitimate apps and publishers. The original malicious banner ad then used these spoofed IDs to request video ads, which were hidden from view underneath the banner ad. As long as the banner ad stayed active, it continued to request new video ads, layering up to twenty-five video ads at once and replacing each video ad when it finished playing.
The team determined that the fraudsters issued more than 12 billion ad requests a day at the campaign’s peak, placing malicious ads on roughly eleven million devices using spoofed credentials of over 1,700 apps and 120 publishers. HUMAN then coordinated with publishers whose identification numbers were being spoofed in this campaign to conduct three major mitigation operations. These mitigation measures culled the fraudulent ad bid requests, ultimately driving the fraudsters to shut down the campaign. That said, the researchers caution us not to conclude that VASTFLUX is dead forever. This ad fraud scheme demonstrated sophistication on the part of the fraudsters, and they may already be developing their next campaign.