How the Vastflux Mobile Ad Scam Generated 12 Billion Fake Transactions per Day

Vastflux is a fraud that generated income by serving adverts to mobile devices although no person was viewing them. It relies on mobile malware and has been described as a ‘malvertising’ attack.  The name of Vastflux was coined by Human Security Inc, the consultancy which took down the Vastflux attacks. It is a combination of ‘fast flux’, an evasion technique used by cybercriminals, and VAST, the Digital Video Ad Serving Template that was abused in the attacks.

I’m a fraud guy, so when I started working in mobile telecoms there was a whole new world of technology I had to learn.  I didn’t have much to do with mobile advertising and whilst I was aware of click fraud, it wasn’t an area I knew much about.  However, I found the recent Vastflux story fascinating and wanted to share it for anyone who may have missed it.

Matryoshka: The Mother of Vastflux

Human said that Vastflux was an apparent adaptation of an earlier ad fraud scheme known as Matryoshka, which is also the name of the Russian dolls that can be stacked inside each other. Forbes reported in 2020 how Matryoshka stole both advertisers’ dollars and users’ private data, mostly in the United States.  For those unfamiliar with mobile ad fraud, here’s a simple version of how it worked:

  1. On an iPhone, the scammers inject an ad with a payload of malicious computer code into an ad on the iFunny app.
  2. The code executes, gathering personal information on users and devices.
  3. The code saves that data to a server controlled by the fraudsters.
  4. The code also gets “dozens to hundreds” of video ad serving template tags (essentially, requests to run a video ad from an advertiser) from the fraudster-controlled remote server.
  5. The code then executes those ad requests “hundreds or even thousands of times,” essentially faking ad views.
  6. Advertisers are essentially told their ads ran on a legitimate app and were viewable by real people.
  7. The scammers collect millions of dollars for the fake ad views.

Pixalate, a business that specializes in preventing and investigating advertising fraud, took credit for exposing the Matryoshka mobile ad fraud scheme. They said Matryoshka had…

…impacted at least two million iOS and Android users, with well in excess of $10 million siphoned from advertisers in 2020…

Vastflux: The Child Outgrows the Parent

The losses caused by Matryoshka were significant, but Vastflux’s impact was considerably larger. According to Human, Vastflux was responsible for:

  • More than 12 billion fraudulent ad requests per day
  • Nearly 11 million devices received ads using apps affected by Vastflux
  • More than 1,700 apps were spoofed
  • Over 120 publishers were spoofed

Human notes that…

in general, ads that run within apps pass less information to verification providers than ads that run on pages visited within a web browser. That information gap is appealing to fraudsters: they may target advertising opportunities that run in these more restricted environments with the hope that it will take longer for their scheme to be spotted and stopped…

In the test lab, only one app was running on the device, but dozens of bid requests with varying app IDs were being recorded, and this was happening on the device every few seconds.

The first step in the ad process is for a targeted app to reach out to its primary supply-side partner network for a banner ad to be displayed within the app. Several demand-side partners then place a bid for the ad slot. If the winning bid is connected to Vastflux then the purchasing/bidding ad server will place a static banner image in the slot and inject several scripts.  This is where it gets clever.  The injected scripts decrypt the ad configurations, place a static banner image and hide a video ad player hidden behind the banner image.  The script then calls home to a command-and-control server which provides an ad playlist which can stack as many as 25 ads on top of one another. Revenue is generated for all of the stacked video ads, although none are actually shown to the phone user.

According to Human, the actors behind Vastflux have an intimate understanding of the digital advertising ecosystem as they included code which allowed it to evade advert verification tags, and therefore helped prevent detection of the scheme.

Human Cooperation Defeats the Malware Machines

There have reportedly been no Vastflux ad requests since December 6. Human says this result was accomplished by working closely with customers and partners to get additional insight into traffic volumes and identify the sources of the attack.  From those first hijacked impressions in the test lab, the team reverse-engineered the attack, uncovering obfuscated JavaScript and detailing all of the ad servers connected to the scheme.

From late June into July, Human says it carried out three distinct mitigation responses.  The first cut Vastflux traffic dramatically, but, as in many other cases, the attackers adapted. The second, only a few days after the first, delivered a 92% reduction from the operation’s peak. Their third mitigation further impaired activity and resulted in the bad actors going quiet and taking down the servers that powered Vastflux.

A detailed description of Vastflux and how it was defeated is available here.


It should be part of the job description for fraud managers to stay up to date with fraud in mobile ecosystems, but its particularly important to understand the ingenuity and scale of this attack.  It’s a great example to consider in relation to your fraud risk assessment and invaluable for demonstrating to management that 12 billion fake transactions per day is not a theoretical risk.

David Morrow
David Morrow
Dave has 35 years of law enforcement, investigation and fraud management experience including multiple international assignments. He is a recognised telecoms fraud expert and for a number of years chaired the GSMA workgroup responsible for Security & Fraud Risk Assessments.

Dave now provides fraud management support as an independent consultant.