A large-scale advertising fraud operation dubbed ‘Vastflux’ which has been predominantly targeting iOS users has been disrupted by security researchers at cyber-security company HUMAN.
The operation’s name was derived from the VAST ad-serving template and the “fast flux DNS” evasion technique,and was used to spoof more than 1,700 applications from 120 publishers within the Apple app store.
According to a report on the take-down by HUMAN’s team, Vastflux generated over 12 billion bid requests per day at its peak and impacted almost 11 million devices, many in Apple’s iOS ecosystem.
Malicious ad-banners
Vastflux generated bids for displaying in-app ad banners when a user executed one of the Vastflux infected apps. If the bid won, it placed a static banner image into the affected app and injected obfuscated JavaScript into it.
The injected scripts contacted a C2 (Command and Control) server to receive an encrypted configuration payload, which included instructions on the position, size, and type of ads to be displayed, as well as data for spoofing real app and publisher IDs.
Vastflux was able to stack up to 25 video ads on top of one another, all generating ad view revenue for the criminal gang behind the malware, but none of the ads were visible to the user as they were rendered behind the active window.
VAST ad template
Developed by members of the IAB Digital Video Technical Standards Working Group, VAST (Video Ad Serving Template) offers improvements for the delivery and measurement of video advertising, including sophisticated delivery and tracking options for clients, the ability to select ads dynamically for insertion, and a more seamless experience for the viewer.
FastFlux DNS
FastFlux DNS is a technique that involves associating multiple IP addresses with a single domain name and changing out these IP addresses rapidly.
Sometimes, hundreds or even thousands of IP addresses are used with FastFlux DNS in an attempt by attackers to keep their web properties up and running, hide the true origin of their malicious activity, and stop security teams from blocking their IP address. This technique is also commonly used by botnets.
The takedown
Having mapped out the infrastructure for the Vastflux operation, HUMAN launched three waves of targeted action between June and July 2022, involving customers, partners, and the spoofed brands, each delivering a blow to the fraudulent activity.
Eventually, Vastflux took its C2 servers offline for a while and scaled down its operations, and on December 6, 2022, the ad bids went down to zero for the first time.
Whilst this type of attack doesn’t affect a user directly, the malvertising can cause performance degradation of an affected device, which in turn could lead to an increase of battery usage.
Another +1 for the pi-hole
If you followed my earlier blogs about building, configuring, and running a pi-hole, you would know that the main thing a pi-hole does is block ads.
As such, in cases like this, an affected app would not be able to load up any ads, malicious or otherwise!