A Sneaky Ad Scam Tore Through 11 Million Phones


Share post:

Once Vastflux won the auction for an ad, the group would insert some malicious JavaScript code into that ad to stealthily allow multiple video ads to be stacked on top of each other. 

Put simply, the attackers were able to hijack the advertising system so that when a phone was displaying an ad within an affected app, there would actually be up to 25 ads placed on top of each other. The attackers would get paid for each ad, and you would only see one ad on your phone. However, your phone battery would drain faster than usual as it processed all the fraudulent ads.

“It’s quite genius because the minute the ad disappears, your attack stops, which means that you’re not going to be found easily,” Habiby explains. 

The scale of this was colossal: In June 2022, at the peak of the group’s activity, it made 12 billion ad requests per day. Human Security says the attack primarily impacted iOS devices, although Android phones were also hit. In total, the fraud is estimated to have involved 11 million devices. There is little device owners could have done about the attack, as legitimate apps and advertising processes were impacted. 

Google spokesperson Michael Aciman says the company has strict policies against “invalid traffic” and there was limited Vastflux “exposure” on its networks. “Our team thoroughly evaluated the report’s findings and took prompt enforcement action,” Aciman says. Apple did not respond to WIRED’s request for comment.

Mobile ad fraud can take many different forms. This can range, as with Vastflux, from types of ad stacking and phone farms to click farms and SDK spoofing. For phone owners, batteries dying quickly, large jumps in data use, or screens turning on at random times could be signs a device is being impacted by ad fraud. In November 2018, the FBI’s biggest ad fraud investigation charged eight men with running two notorious ad fraud schemes. (Human Security and other technology companies were involved in the investigation.) And in 2020, Uber won an ad fraud lawsuit after a company it hired to get more people to install its app did so through “click flooding.”

In the case of Vastflux, the biggest impact of the attack was arguably on those involved in the sprawling advertising industry itself. The fraud affected both advertising companies and apps that show ads. “They were trying to defraud all these different groups along the supply chain, with different tactics against very different ones,” says Zach Edwards, a senior manager of threat insights at Human Security. 

Source link


Please enter your comment!
Please enter your name here

Related articles

TV writer shares how much he makes in residuals: ‘Talk about passive income’

You may not know the name Michael Jamin, but chances are you know his characters.The veteran TV...

NXP earnings missed by $0.01, revenue topped estimates By Investing.com

© Reuters. NXP earnings missed by $0.01, revenue topped estimates Investing.com - NXP (NASDAQ:) (NASDAQ: NXPI) reported fourth...

Englander Davis is Gearing Up To Continue Their Growth Throughout Australia

PRESS RELEASEPublished January 30, 2023One of Australia’s leading digital marketing firms, is ready to expand its reach...

9 customer retention strategies – tips for small businesses

7. Use analytics and automationAs a small business owner, freelancer or sole-trader, you already have a lot...