Wired: A Sneaky Ad Scam Tore Through 11 Million Phones, Mostly iOS Too


Online and mobile advertising is a complex, often murky business. But it generates piles of money for those involved. Every day billions of ads are placed on websites and in apps—advertisers or ad networks pay to have their ads displayed and make money when people click on them or see them—and much of this is done as you open a website or an app.

Vastflux was first detected by Human Security researcher Vikas Parthasarathy in the summer of 2022 while he was investigating a different threat. Habiby says operating the fraud involved multiple steps, and the attackers behind it took a range of measures to avoid being caught out.

First, the group behind the attack—which Human Security hasn’t named due to ongoing investigations—would target popular apps and try to buy an advertising slot within them. “They were not trying to hijack an entire phone, or an entire app, they were literally going through one ad slot,” Habiby says.