Security experts take down spam network hitting millions of iOS devices

holding an iphone
(Image credit: Shutterstock)

Researchers have uncovered a huge network of fake apps running fake ads, mainly on iOS devices. 

The operation was named 'Vastflux' in reference to its use of the Video Ad Serving Template specification, as well as the fast-flux technique to change masses of IP addresses and DNS records to hide the malicious code within the fake apps. 

Cybersecurity Team HUMAN discovered Vastflux during an investigation of another ad-fraud network, finding that it generated over 12 billion ad bid requests a day and affected over 11 million devices, most of which were iOS.

TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Hidden videos

The researchers were tipped off to the campaign when they stumbled across an app that was using multiple app IDs to generate an unhealthy amount of requests.

After reverse engineering the obfuscated JavaScript code, they found the main server the app was in communication with and which sent the app the ad-generating commands.

From here, the researchers uncovered the whole network, which involved nearly 2,000 fake apps. As they explained, the malvertising in these bad apps had "stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device."

When it won the bids it made for displaying ad banners, Vastflux would inject the hidden JavaScript code into it. This would the C2 server to get the data needed to make the fake ad. Up to 25 videos would be running simultaneously, but remain invisible to the user as they would be displayed behind the active window.

The scheme also didn't use ad verification tags, needed to view performance metrics, in order to avoid detection from ad-performance trackers.

HUMAN, with the help of customers and the brands who were spoofed, launched a series of targeted attacks on Vastflux between June and July 2022. The C2 servers then went offline after a while as their operations wound down, until all ad bids reached zero in December 2022.

Although the campaign did not appear to have had a major security impact on the infected devices, it did cause performance issues, battery drain and overheating in some cases.

These are typical signs of an infection, so pay heed if your notice hits like this to your device. Although you cannot monitor the usage of performance-related hardware such as CPU and RAM on an iPhone natively, there are third party apps that can. Also, you can view the battery usage on iOS under the device settings, which may give some indication to the presence of suspect apps.

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.