11 million phones were victimized by a cunning ad scam.

Online ads just pop up whenever we open an app and it is cool how AI does this and now what we need and we immediately buy it even though we don’t plan to buy it. Not all online ads have the intention to give you services or the right product you need, some use online ads to get your information and take it as an advantage to scam you.

Security researchers discovered a new widespread attack on the online advertising ecosystem that has impacted millions of people, defrauded hundreds of businesses, and may have resulted in significant profits for its creators. The Vastflux attack was discovered by researchers at Human Security, a firm that focuses on fraud and bot activity.

The attackers spoofed 1,700 apps and targeted 120 publishers impacting 11 million phones. At their peak, the attackers were making 12 billion ad requests per day. Vastflux was discovered by Human Security researcher Vikas Parthasarathy in the summer of 2022 while investigating another threat.

According to Habiby, carrying out the fraud required several steps, and the perpetrators took a variety of precautions to avoid detection. Simply put, the attackers were able to exploit the advertising system in such a way that when a phone displayed an ad within an affected app, up to 25 ads would be displayed on top of each other. Each ad would be paid for by the attackers, and you would only see one on your phone. However, as it processed all of the fraudulent ads, your phone battery would drain faster than usual.

The researchers, citing ongoing investigations, refused to reveal who might be behind the Vastflux or how much money they might have made. They claim to have seen the same criminals running advertising fraud operations as far back as 2020. In that case, the ad fraud scheme was allegedly targeting US swing states and collecting user data.