Security experts take down spam network hitting millions of iOS devices

(Image credit: Shutterstock)

Researchers have uncovered a huge network of fake apps running fake ads, mainly on iOS devices.

The operation was named 'Vastflux' in reference to its use of the Video Ad Serving Template specification, as well as the fast-flux technique to change masses of IP addresses and DNS records to hide the malicious code within the fake apps.

Cybersecurity Team HUMAN discovered Vastflux during an investigation of another ad-fraud network, finding that it generated over 12 billion ad bid requests a day and affected over 11 million devices, most of which were iOS.

Hidden videos

The researchers were tipped off to the campaign when they stumbled across an app that was using multiple app IDs to generate an unhealthy amount of requests.

After reverse engineering the obfuscated JavaScript code, they found the main server the app was in communication with and which sent the app the ad-generating commands.

From here, the researchers uncovered the whole network, which involved nearly 2,000 fake apps. As they explained, the malvertising in these bad apps had "stacked a whole bunch of video players on top of one another, getting paid for all of the ads when none of them were visible to the person using the device."

> This dangerous malvertising campaign mimicks popular software to steal victim info

> This malvertising campaign has hit over a million Google Chrome users

> Fake ChatGPT apps are everywhere on Android and iOS app stores

When it won the bids it made for displaying ad banners, Vastflux would inject the hidden JavaScript code into it. This would the C2 server to get the data needed to make the fake ad. Up to 25 videos would be running simultaneously, but remain invisible to the user as they would be displayed behind the active window.

The scheme also didn't use ad verification tags, needed to view performance metrics, in order to avoid detection from ad-performance trackers.

HUMAN, with the help of customers and the brands who were spoofed, launched a series of targeted attacks on Vastflux between June and July 2022. The C2 servers then went offline after a while as their operations wound down, until all ad bids reached zero in December 2022.

Although the campaign did not appear to have had a major security impact on the infected devices, it did cause performance issues, battery drain and overheating in some cases.

These are typical signs of an infection, so pay heed if your notice hits like this to your device. Although you cannot monitor the usage of performance-related hardware such as CPU and RAM on an iPhone natively, there are third party apps that can. Also, you can view the battery usage on iOS under the device settings, which may give some indication to the presence of suspect apps.

Worried you might be infected? Here are the best iPhone antivirus apps

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.