“It’s pretty ingenious, because the minute the ad disappears, your attack stops, which means you won’t be easy to find,” Habibie explains.
The scale of this was colossal: in June 2022, at the peak of the group’s activity, it was making 12 billion ad requests per day. Human Security reports that the attack primarily affected iOS devices, although Android phones were also affected. In total, it is estimated that 11 million devices were involved in the scam. There was little that device owners could do about the attack, as legitimate apps and advertising processes were affected.
Google spokesman Michael Aciman says the company has a strict “invalid traffic” policy and Vastflux “teardown” on its networks is limited. “Our group has carefully considered the findings of the report and acted promptly,” says Asiman. Apple did not respond to WIRED’s request for comment.
Mobile ad fraud can take many forms. This can vary, as with Vastflux, from ad stack types and phone farms to click farms and SDK spoofing. For phone owners, fast battery drain, big spikes in data usage, or screens turning on at random times can be signs that a device is being targeted by ad scams. In November 2018, the FBI conducted its largest ad fraud investigation in which eight people were charged with launch of two notorious ad fraud schemes. (Human Security and other tech companies were involved in the investigation.) And in 2020, Uber won an ad fraud lawsuit after the company it hired to get more people to install its app did so via “click flood“.
In the case of Vastflux, the biggest impact of the attack may have been on those involved in the sprawling advertising industry. Fraud has affected both advertising companies and applications that display ads. “They were trying to deceive all these different groups throughout the supply chain, using different tactics against different ones,” says Zach Edwards, senior manager of threat intelligence at Human Security.
In order not to be detected – up to 25 simultaneous ad requests from one phone would look suspicious – the group used several tactics. They spoofed ad data from 1,700 apps, making it look like many different apps are being used to serve ads when only one is used. Vastflux also changed their ads to only allow certain tags to be attached to ads, which helped avoid detection.
Matthew Katz, head of market quality at FreeWheel, the Comcast-owned advertising company that was partly involved in the investigation, says attackers in this area are becoming more sophisticated. “Vastflux was a particularly complex circuit,” says Katz.
The researchers say the attack affected significant infrastructure and planning. Edwards says Vastflux used multiple domains to launch his attack. The name Vastflux is based on “fast flow” – type of attack that hackers use involves binding multiple IP addresses to a single domain name-and HUGE, the video ad template that was used in the attack. (The interactive advertising bureau behind the VAST template did not respond to a request for comment at time of publication.) “This is not a very simple scam that we see all the time,” says Habibie.