Malvertizing Network with 12 Billion Daily Bid Requests Taken Down

HUMAN’s Satori threat intelligence team has mapped and taken down a massive malvertizing operation they named ‘VASTFLUX.’

The operation injected malicious JavaScript code into digital banner ads within applications, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views that generated revenue.

At its peak, VASTFLUX generated 12 billion bid requests, and over the course of its operation, it spoofed over 1,700 applications and 120 publishers, and ran inside 11 million compromised devices.

While fraudulent ads might not directly threaten the privacy and security of mobile users, they still degrade their experience, cause significant stretch on their battery consumption, and incur unnecessary data charges.

Keeping the Scheme Invisible

The goal of the VASTFLUX scheme was to inject scripts into banner ads within applications that decrypted ad configurations and contacted a command and control (C2) server to acquire further instructions like what ad to display on the hijacked banner.

Sample of decrypted configuration sent by the C2 server, defining the banner size and position
HUMAN

HUMAN’s post explains that VASTFLUX evaded detection for an extensive period of time by deploying code that prevented the discovery of the scheme, and by not using ad verification tags, indicating that the fraudsters behind this operation possess an in-depth understanding of the digital advertising ecosystem.

Multiple ads rendering in invisible windows
HUMAN

Ad verification tags are small code snippets embedded in digital ads to allow marketers to measure performance. Third-party verification companies also use them to generate metrics like

Read more

Explore the site

More from the blog

Latest News