Security experts take down spam network hitting millions of iOS devices

holding an iphone

Audio player loading…

Researchers have uncovered a huge network of fake apps running fake ads, mainly on iOS devices. 

The operation was named ‘Vastflux’ in reference to its use of the Video Ad Serving Template specification, as well as the fast-flux technique to change masses of IP addresses and DNS records to hide the malicious code within the fake apps. 

Cybersecurity Team HUMAN discovered Vastflux during an investigation of another ad-fraud network, finding that it generated over 12 billion ad bid requests a day and affected over 11 million devices, most of which were iOS.

TechRadar Pro needs you! (opens in new tab)
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey (opens in new tab) and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Hidden videos

The researchers were tipped off to the campaign when they stumbled across an app that was using multiple app IDs to generate an unhealthy amount of requests.

After reverse engineering the obfuscated JavaScript code, they found the main server the app was in communication with and which sent the app the ad-generating commands.

From here, the researchers uncovered the whole network, which involved nearly 2,000 fake apps. As they explained, the malvertising in these bad apps had “stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device.”

When it won the bids it made for displaying ad banners, Vastflux would inject the hidden JavaScript code into it. This would the C2 server to get the data needed to make the fake ad. Up to 25 videos would be running simultaneously, but remain invisible to the user as they would be displayed behind the active window.

The scheme also didn’t use ad verification tags, needed to view performance metrics, in order to avoid detection from ad-performance trackers.

HUMAN, with the help of customers and the brands who were spoofed, launched a series of targeted attacks on Vastflux between June and July 2022. The C2 servers then went offline after a while as their operations wound down, until all ad bids reached zero in December 2022.

Although the campaign did not appear to have had a major security impact on the infected devices, it did cause performance issues, battery drain and overheating in some cases.

These are typical signs of an infection, so pay heed if your notice hits like this to your device. Although you cannot monitor the usage of performance-related hardware such as CPU and RAM on an iPhone natively, there are third party apps that can. Also, you can view the battery usage on iOS under the device settings, which may give some indication to the presence of suspect apps.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock