Ad Fraud in apps
source: own elaboration
Mobile applications are an increasingly popular marketing channel, but unfortunately, they aren’t Ad Fraud free. A study by TrafficGuard and Juniper found that one in 13 app installs worldwide is fraudulent (7.7%), and data from Interceptd reports that 31% of iOS app installs and 25% of Android app installs are fraudulent. Juniper Research Statistics reports that App Install Farms and SDK Spoofing are the most common forms of ad fraud and are responsible for 42% of all ad fraud.
Advertising scams by application category and mobile operating system
Mobile ad fraud detection and prevention company - Interceptd found in their 2019 Report that Android has a slightly higher rate of digital ad fraud than iOS with 31% and 25% of fake installs respectively. In the same report, you can also find information on which categories of applications are more susceptible to fraud (indicated as the percentage of fraudulent installations in relation to all installations). In the case of Android, the finance category turned out to be the most vulnerable to fraud (38%), followed by games (37%), travel (34%), social media (33%) and shopping (33%). When it comes to iOS, it was respectively shopping (32.9%), games (30.3%), finance (28.8%) and travel (21.2%).
Types of frauds that we can encounter when advertising in mobile applications
In-app advertising fraud can be done in many ways. The most popular of these are: using real devices to scam and turn them into a BOTnet (a scammer exercising remote control over a whole group of devices infected with malware), running background scams on real devices so that their owners are not aware of it, or creating counterfeit devices and using them to generate invalid traffic. As for the specific types of app-related Ad Fraud, we’ll discuss the most common ones below:
- Installation Farms
- App Spoofing
- SDK Spoofing
- Device Spoofing
- Localization spoofing
- Other app scams
According to BusinessofApps, in 2018, application install farms contributed to 42% of all ad fraud. The principle of their operation is similar to click, views or likes farms - low-paid employees install applications on a massive scale - either using multiple devices or by installing many applications on one device.
Apps respond to the advertiser’s request by sending a string of information to the source. In addition to the name of the application, publisher or domain, each operating system also uses a unique identifier to identify each application: Android uses „packages” with specific names such as com.example.app, while iOS uses numeric identifiers.
A technique called app spoofing (also known as app misrepresentation or app laundering) is where a scammer spoofs information about their app. As a result, traffic from one app is misrepresented as traffic from another, often much more recognizable. This allows the scammers to hide their activities, which can make it harder to identify and blacklist their apps, but also mislead advertisers by pretending to be a well-known, high-value program and earning higher bids as a result. App spoofing has been central to several large-scale ad scams, including those discovered by Pixalate - Matryoshka and Megacast.
SDK (Software Development Kit) Spoofing is a more sophisticated advertising fraud. The scammer first discovers (often by trial and error) how the various app SDKs transmit installation and attribution data, and then uses obtained information to signal that the device has successfully installed the app when in fact nothing like that happened. Most often, such fake installations are created using data from real devices, which makes fraud detection even more difficult. So scammers use existing, legitimate hardware to make app installs look real when in fact they are fake.
Using a technique called device spoofing, a rogue app spoofs or misrepresents hardware information. Scammers can use Device Spoofing both to make it difficult to identify their own devices and to trick advertisers offering higher rates for certain types of devices (as in the case of App Spoofing). Of course, this form of fraud can also be used for all kinds of frauds that pretend to be real traffic, in which case both the event itself (click, download, display, etc.) as well as the device and its location are fake, and all information about them will most likely be generated by malicious BOTs.
This type of fraud will be analogous to App and Device Spoofing, with the difference that they won’t falsify data regarding the name of the application or the device itself, but its location. Again, the publisher may want to protect its own geographic location and provide false information about it, or receive higher rates for pretending to be a different, better paid location.
Today’s app ecosystem is largely self-regulating. This is possible thanks to the certification used by app stores, the visible number of downloads and transparent ratings. This makes brands place a lot of trust in apps that perform well in these areas. Unfortunately, the truth is that not all apps maintain high standards. For example, they might use affiliate networks to generate fake installs and then give themselves fake reviews to make themselves look more desirable. In some cases, application developers themselves may not know or turn a blind eye to the fact that users (or part of them) are fake. It also happens that applications don’t behave exactly the same for each user all the time - a fraudster can design applications in such a way that fraud is carried out only in a certain part of the application’s scope of operation - such practices can be difficult to catch, especially since such a „legally” operating application won’t be suspected at the beginning.