Researchers disrupted the Vastflux ad fraud operation that spoofed over 1,700 apps from 120 publishers, mainly for iOS.
The ad fraud campaign was inspired by the vast ad-serving template and the fast flux security bypassing technique employed by hackers to obfuscate malicious code. Threat actors execute this evasion technique by quickly altering multiple IP addresses and DNS records linked to a single domain.
Based on reports, the Vastflux operators gained more than 12 billion bid requests per day and impacted approximately 11 million devices, mainly Apple.
An investigation of another operation has led to the discovery of the Vastflux ad fraud campaign.
The researchers explained that they were investigating a separate operation before stumbling across the Vastflux ad fraud campaign. The app from the Vastflux campaign standout as it generates an unusually high number of requests using different app IDs.
The team managed to find the C2 server IP address utilised by its operations by executing a reverse engineering method in the obfuscated JavaScript in the malicious app.
Vastflux acquired bids for displaying in-app ad banners. Once it wins, it places a static banner image and injects a hidden JavaScript.
Subsequently, the injected JavaScript contains the actor’s C2 server to receive an encrypted configuration payload that includes the position, type, and size of ads to be displayed by the campaign operators.
Vastflux stacked nearly 25 video ads that all generated ad view revenue. However, none of the ads was visible to the users as they were operating behind an active window.
The ad fraud campaign actors also omitted ad verification tags to bypass detection, enabling marketers to generate performance metrics.
The researchers deployed a few waves of targeted action between June and July last year after mapping the infrastructure for the Vastflux campaign. These actions involved customers, partners, and the spoofed brands that each delivered a hit to the ad fraud operation.
The Vastflux operators were forced to take down its command-and-control servers for the time being and minimise their operation’s activity. Therefore, the ad bids of Vastflux went down to zero in December last year.
