Researchers have discovered a huge network of fake apps running fake ads, mostly on iOS devices.
The operation, dubbed ‘Vastflux’, involves the use of the Video Ad Serving Pattern specification, as well as a rapid flow change technique to bulk change IP addresses and DNS records to hide malicious code in fake apps.
The HUMAN cybersecurity team discovered Vastflux during an investigation into another ad fraud network, discovering that it generated more than 12 billion ad bid requests per day and affected more than 11 million devices. devices, most of which are iOS.
Hide videos
The researchers learned about the campaign when they stumbled upon an app that was using multiple App IDs to generate an unhealthy number of requests.
After reverse engineering the obfuscated JavaScript, they found the primary server the app was communicating with, and that sent the app commands to create ads.
From here, the researchers discovered an entire network associated with nearly 2,000 fake apps. As they explain, the malicious ads in these bad apps “stacked the entire video player, getting paid for all ads when no ads were seen by the device user.”
When it wins a bid to display advertising banners, Vastflux will include hidden JavaScript code in it. This will help the C2 server get the data it needs to create fake ads. Up to 25 videos will run simultaneously but remain invisible to the user as they will be displayed behind the active window.
This plan also doesn’t use the ad verification tag, which is needed to view performance metrics, to avoid detection by ad performance trackers.
HUMAN, with the help of its customers and spoofed brands, carried out a series of targeted attacks on Vastflux from June to July 2022. The C2 servers were then taken offline after a short period of time. the period when their activity is down, until all ad bids reach zero in December 2022.
While the campaign did not appear to have a major security impact on infected devices, it did cause performance issues, battery drain, and overheating in some cases.
These are typical signs of an infection, so pay attention if a message like this appears on your device. While you can’t monitor performance-related hardware usage like CPU and RAM natively on your iPhone, there are third-party apps that can. Additionally, you can view battery usage on iOS in device settings, which may give some indication of the presence of suspicious apps.
