Security experts take down spam network hitting millions of iOS devices

holding an iphone
(Image credit: Shutterstock)

Researchers have uncovered a huge network of fake apps running fake ads, mainly on iOS devices. 

The operation was named 'Vastflux' in reference to its use of the Video Ad Serving Template specification, as well as the fast-flux technique to change masses of IP addresses and DNS records to hide the malicious code within the fake apps. 

Cybersecurity Team HUMAN discovered Vastflux during an investigation of another ad-fraud network, finding that it generated over 12 billion ad bid requests a day and affected over 11 million devices, most of which were iOS.

TechRadar Pro needs you!
We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Hidden videos

The researchers were tipped off to the campaign when they stumbled across an app that was using multiple app IDs to generate an unhealthy amount of requests.

After reverse engineering the obfuscated JavaScript code, they found the main server the app was in communication with and which sent the app the ad-generating commands.

From here, the researchers uncovered the whole network, which involved nearly 2,000 fake apps. As they explained, the malvertising in these bad apps had "stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device."

When it won the bids it made for displaying ad banners, Vastflux would inject the hidden JavaScript code into it. This would the C2 server to get the data needed to make the fake ad. Up to 25 videos would be running simultaneously, but remain invisible to the user as they would be displayed behind the active window.

The scheme also didn't use ad verification tags, needed to view performance metrics, in order to avoid detection from ad-performance trackers.

HUMAN, with the help of customers and the brands who were spoofed, launched a series of targeted attacks on Vastflux between June and July 2022. The C2 servers then went offline after a while as their operations wound down, until all ad bids reached zero in December 2022.

Although the campaign did not appear to have had a major security impact on the infected devices, it did cause performance issues, battery drain and overheating in some cases.

These are typical signs of an infection, so pay heed if your notice hits like this to your device. Although you cannot monitor the usage of performance-related hardware such as CPU and RAM on an iPhone natively, there are third party apps that can. Also, you can view the battery usage on iOS under the device settings, which may give some indication to the presence of suspect apps.

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.