Your phone might have been used in a huge money making ad scam

According to Wired, 11 million phones were attacked by an ad-fraud scheme called Vastflux which spoofed 1,700 apps and targeted 120 publishers. At the peak of the scam, the attackers were making requests for 12 billion ads per day. Marion Habiby, a data scientist with Human Security, the firm that discovered the attack, called it one of the largest and most organized her firm had ever seen.

"When I first got the results for the volume of the attack, I had to run the numbers multiple times," Habiby said, "It is clear the bad actors were well organized and went to great lengths to avoid detection, making sure the attack would run as long as possible—making as much money as possible." The fraud was first detected last year and the group behind the attacks, which Human Security will not name yet due to ongoing investigations, started the process by buying one single ad slot from popular apps.

As Habiby notes, "They were not trying to hijack an entire phone or an entire app, they were literally going through one ad slot." But once it won the auction for the ad site, the attackers placed malicious JavaScript code into the ad which resulted in the stacking of multiple video ads. So while your phone was showing a single advertisement, the scammers were getting paid for serving up to 25 ads. And one of the few signs that you might see telling you that something was amiss was the rapidly draining battery on your phone (more on this below).

Once the ad stopped playing, the attack ended making it almost impossible to discover the fraud. Habiby says that iOS devices were impacted the most but some Android handsets were also used in this scam. And because the attack occurred on legitimate apps using a legitimate advertising platform, phone owners really couldn't do anything to prevent it from happening. After all, consumers' handsets were only the conduit for the scam and consumers themselves didn't suffer any financial hit.

Human Security's Zach Edwards, a senior manager of threat insights at the firm, points out that advertising companies and apps that show ads were the damaged parties. The attack would spoof (copy) the ad details of 1,700 apps to make it appear as though ads were shown on more than just one app. After all, requesting 25 ads to be played simultaneously on one phone would have raised questions. Ads were also modified to limit tags so that the scam could not be discovered.

Google spokesperson Michael Aciman told Wired, "Our team thoroughly evaluated the report’s findings and took prompt enforcement action." He also stated that Google has strict policies against "invalid traffic." He also pointed out that there was limited exposure to Vastflux on Google's networks.

A concerted effort to stop Vastflux last summer resulted in a sharp drop off in ad requests to less than a billion per day. Human Security said in a blog post, "We identified the bad actors behind the operation and worked closely with abused organizations to mitigate the fraud."

The good news is that the group involved in the ad scam unplugged its servers last month and no activity from Vastflux has been spotted since. Individual phone owners will have a hard time determining if their phone is being used for such an ad scam because a rapidly draining battery could be the symptom of a legitimate bug.

Other red flags, such as unexplained jumps in data usage, having the phone's screen turn on at random times, seeing the performance of an app slow down suddenly, or spotting an app crashing frequently, might be better signs warning you that your phone is part of an ad scam.

The last word on Vastflux comes from Matthew Katz, head of marketplace quality at ad tech firm FreeWheel, a Comcast-owned outfit. The company was involved in the investigation which gives Katz a unique view of the whole scam. "Vastflux was an especially complicated scheme," he said.