Heimdal
article featured image

Contents:

An “expansive” adware operation that spoofs over 1,700 apps from 120 publishers and affects around 11 million devices has been stopped by researchers.

Dubbed VASTFLUX, the malvertising attack injected malicious JavaScript code into digital ad creatives and allowed threat actors to stack invisible ad videos behind one another to register ad revenue.

Details on the Malicious Campaign

The operation gets its name from the DNS evasion technique it uses, called Fast Flux, and VAST, a Digital Video Ad serving template used to deploy ads to videos.

According to The Hacker News, the clever operation placed bids for the display of ad banners specifically in the constrained in-app contexts that run adverts on iOS. If the auction is successful, the hijacked ad space is used to inject malicious JavaScript that contacts a distant server to obtain the list of targeted apps.

In order to carry out an app spoofing attack, in which a fraudulent app poses as a well-known app in an effort to dupe advertisers into bidding for the ad space, the ad includes bundle IDs of legitimate apps. The threat actors’ objective was to stack 25 video ads atop one another and register views for revenues. New ads keep loading until the ad slot is closed.

VASTFLUX, which peaked at over 12 billion bid requests per day, is just the most recent in a line of ad fraud botnets to be taken down in recent years, including Methbot, PARETO, and 3ve.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE