According to Wired, 11 million phones were attacked by an ad-fraud scheme called Vastflux which spoofed 1,700 apps and targeted 120 publishers. At the peak of the scam, the attackers were making requests for 12 billion ads per day. Marion Habiby, a data scientist with Human Security, the firm that discovered the attack, called it one of the largest and most organized any firm had ever seen.
Vastflux would allow fraudsters to run 25 ads on a phone simultaneously
“When I first got the results for the volume of the attack, I had to run the numbers multiple times,” Habiby said, “It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible.” The fraud was first detected last year and the group behind the attacks, which Human Security will not name yet due to ongoing investigations, started the process by buying one single ad slot from popular apps.
After peaking at 12 billion ad requests daily, the scam slowly died out
Once the ad stopped playing, the attack ended making it almost impossible to discover the fraud. Habiby says that iOS devices were affected the most, but some Android handsets were also used in this scam. And because the attack occurred on legitimate apps using a legitimate advertising platform, phone owners really couldn’t do anything to prevent it from happening. After all, consumers’ handsets were only the conduit for the scam and consumers themselves did not suffer any financial hit.
Human Security’s Zach Edwards, a senior manager of threat insights at the firm, points out that advertising companies and apps that show ads were the damaged parties. The attack would spoof (copy) the ad details of 1,700 apps to make it appear as though ads were shown on more than just one app. After all, requesting 25 ads to be played simultaneously on one phone would have raised questions. Ads were also modified to limit tags so that the scam could not be discovered.
Google spokesperson Michael Aciman told Wired, “Our team thoroughly evaluated the report’s findings and took prompt enforcement action.” He also stated that Google has strict policies against “invalid traffic.” He also pointed out that there was limited exposure to Vastflux on Google’s networks.
The group behind the fraud closed up shop in December
A concerted effort to stop Vastflux last summer resulted in a sharp drop off in ad requests to less than a billion per day. Human Security said in a blog post, “We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud.”
The good news is that the group involved in the ad scam unplugged its servers last month and no activity from Vastflux has been spotted since. Individual phone owners will have a hard time determining if their phone is being used for such an ad scam because a rapidly draining battery could be the symptom of a legitimate bug.
Other red flags, such as unexplained jumps in data usage, having the phone’s screen turn on at random times, seeing the performance of an app slow down suddenly, or spotting an app crashing frequently, might be better signs warning you that your phone is part of an name scam.
The last word on Vastflux comes from Matthew Katz, head of marketplace quality at ad tech firm FreeWheel, a Comcast-owned outfit. The company was involved in the investigation which gives Katz a unique view of the whole scam. “Vastflux was an especially complicated scheme,” he said.