"A Sneaky Ad Scam Tore Through 11 Million Phones"

Researchers have uncovered a new, massive attack on the Internet advertising ecosystem that has affected millions of users, robbed hundreds of companies, and may have garnered substantial money for its perpetrators. The attack, called Vastflux, was identified by researchers at Human Security, a company that analyzes fraud and bot activity. The attackers, who have impersonated 1,700 apps and targeted 120 publishers, impacted 11 million mobile devices. At their peak, the attackers made 12 billion requests for advertisements per day. The attackers would target popular apps and attempt to purchase advertising space within them. Once Vastflux won an auction for an advertisement, the malicious actors would embed malicious JavaScript code into the advertisement to covertly stack many video advertisements. The attackers were able to hijack the advertising system so that when a phone displayed an advertisement within an affected app, it really included up to 25 advertisements stacked on top of one another. The attackers would get paid for each advertisement, and the user would only see one advertisement on their phone. However, their phone's battery would deplete more quickly than usual as a result of all the advertisements. This article continues to discuss the Vastflux scam involving 1,700 spoofed apps, 120 targeted publishers, and billions of false advertisement requests per day.

Wired reports "A Sneaky Ad Scam Tore Through 11 Million Phones"