Security Experts:

Connect with us

Hi, what are you looking for?



Sophisticated ‘VastFlux’ Ad Fraud Scheme That Spoofed 1,700 Apps Disrupted

A digital ad fraud scheme dubbed “VastFlux” spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says.

Dubbed VastFlux, the scheme relied on JavaScript code injected into digital ad creatives, which resulted in fake ads being stacked behind one another to generate revenue for the fraudsters. More than 11 million devices were impacted in the scheme.

The JavaScript code used by the fraudsters allowed them to stack multiple video players on top of one another, generating ad revenue when, in fact, the user was never shown the ads.

VastFlux, Human says, was an adaptation of an ad fraud scheme identified in 2020, targeting in-app environments that run ads, especially on iOS, and deploying code that allowed the fraudsters to evade ad verification tags.

At the first step of the fraudulent operation, an application would contact its primary supply-side partner (SSP) network to request a banner ad to be displayed.

Demand-side partners (DSPs) would place bids for the slot and, if the winner was VastFlux-connected, several scripts would be injected while a static banner image was placed in the slot.

The injected scripts would decrypt the ad configurations, which included a player hidden behind the banner and parameters for additional video players to be stacked. The script would also call to the command-and-control (C&C) server to request details on what to be displayed behind the banner.

The received instructions include both a publisher ID and an app ID that VastFlux would spoof. The size of the ads would also be spoofed and only certain third-party advertising tags were allowed to run inside the hidden video player stack.

What Human discovered was that as many as 25 ads could be stacked on top of one another, with the fraudsters receiving payment for all of them, although none would be shown to the user.

Additionally, the cybersecurity firm noticed that new ads would be loaded until the ad slot with the malicious ad code was closed.

“It’s in this capacity that VastFlux behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with,” Human notes.

From late June into July 2022, Human attempted to take down the scheme using three mitigation actions, which eventually resulted in the VastFlux traffic being reduced by more than 92%.

The cybersecurity firm says it has identified the fraudsters and worked with the victim organizations to mitigate the fraud, which resulted in the threat actors shutting down their C&C servers.

“As of December 6th, bid requests associated with VastFlux, which reached a peak of 12 billion requests per day, are now at zero,” Human says.

Related: Google, Apple Remove ‘Scylla’ Mobile Ad Fraud Apps After 13 Million Downloads

Related: US Recovers $15 Million From Ad Fraud Group

Related: Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack