Navigating Mobile Ad Fraud: Unraveling Fraudulent Practices | Mobio Group
Along with other pressing issues such as declining support for third-party cookies and the spread of fake news, the digital mobile industry faces a serious challenge in the form of growing mobile ad fraud. This problem affects app owners around the world, who invest billions of dollars annually to combat mobile fraud.
Analytics services publish alarming figures — compared to the same period last year, January 2023 showed an increase in install fraud on iOS — 76%, post attribution fraud on Android — 154% (Appsflyer report).
There are many types of fraud in the mobile sphere, but all of them have the same goal — to gain profit by attribution and artificially inflating paid actions (clicks, impressions and conversions). Fraudsters use a variety of tactics to manipulate installs and impressions, tricking advertisers and ad networks into paying for illegal actions. They may use bot farms or spread malware, ultimately redistributing the advertising budget into their pockets. The clicks and downloads they generate do not result in any real revenue.
However, the consequences go beyond the immediate financial loss. According to Statista, fraud is among the top reasons advertisers downgrade or suspend their advertising partners.
Also a big problem are artificially inflated metrics derived from mobile ad fraud, which can mislead entrepreneurs and app owners into making unwarranted business decisions. Relying on fraudulent data can have detrimental long-term effects and hinder sustainable growth. It is critical for the digital marketplace to address this issue and develop robust countermeasures to protect mobile ads and apps from fraud.
Types of Fraud in Mobile Ads
In order to track misconduct in apps, control the course of an advertising campaign, and successfully counter the actions of fraudsters, you need to be aware of the ways in which they cause financial and reputational damage to both app owners and ad networks. Fraudsters have many methods of inflicting damage, and there are constantly new developments, the protection against which has not yet been modeled.
We can distinguish the main types of mobile fraud:
- Click Fraud
- Install Fraud
- Attribution Fraud and SDK Tampering
- Display Ad Fraud
These common forms of mobile ad fraud create serious problems for advertisers and undermine the effectiveness of advertising campaigns. Most commonly used are Click Farms and Bots.
• Click Farms
Click Farms, also known as Device Farms, are physical locations where real mobile devices are used for fraudulent activities. These farms use either low-cost workers or automated machines to install advertiser’s apps and interact with ads. The main goal of click farms is to target campaigns to regions with high payouts. To avoid detection, they use various techniques such as manipulating IP addresses using VPN software and proxy servers. In addition, they often hide their activities by using ad tracking restrictions and resorting to resetting device IDs. This allows them to mask their fraudulent operations and continue to generate illegal clicks and interactions.
Bots, broadly speaking, refer to autonomous software designed to perform specific tasks online. While bots were originally able to perform the simplest of functions, their capabilities have now expanded to encompass both positive and negative aspects of the activity. Although human participation still dominates, the prevalence of bot traffic continues to grow.
In mobile ad fraud, bots can operate from genuine mobile devices or from servers, skillfully impersonating legitimate users, engaging in activities such as clicking on mobile ads, installing apps, and interacting within apps. Server bots use emulators — software designed to replicate the functions of devices, allowing them to accurately mimic genuine user behavior.
Another variant of bots manifests itself as malware residing on users’ devices. These malware aim to create fake ad impressions, fraudulent clicks, and unauthorized in-app actions, sometimes even leading to fraudulent in-app purchases without the user’s knowledge.
In mobile apps, bots account for more than 70% of fraud in all regions except the Middle East and North Africa (MENA), where they account for 68% (on both Android and iOS).
Let’s look at each type of fraud in more detail. Note that some fraud methods may fall into more than one category because they involve different fraudulent activities.
This type of fraud involves the deliberate act of creating fake clicks in order to increase the attackers’ revenue (in the case of ad networks or publishers) or to deplete the advertising budgets of pay-per-click campaigns (e.g., PPC, CPC, CPI, and so on). Common methods for click fraud include:
☑ Click Injection
This is a practice in mobile ads in which a click simulation is run before the app is fully installed to attribute the click to a fraudulent source. To perform this action, fraudsters often use dormant “junk apps” residing on users’ devices that are waiting to be activated by an install broadcast. These dormant apps awaken and spring into action, taking control of the user’s device and generating a click, effectively taking credit for an organic install or even an install initiated by another legitimate network.
☑ Click Hijacking
This is the hijacking of a genuine click and subsequent installation through the deceptive practice of sending a duplicate click report from a competing network. Most commonly used is malware surreptitiously embedded in applications obtained from third-party app stores or pretending to be legitimate. Once a legitimate click is detected, the malware initiates a false click report from a competing network, effectively hijacking it and appropriating all subsequent installs. Whereas Click Injection focuses on injecting fraudulent clicks before an application is installed, Click Hijacking focuses on intercepting legitimate clicks and generating false click reports to capture attribution.
☑ Click redirection (Auto redirects)
☑ Click flooding
This is another form of mobile ad fraud that involves generating an excessive number of fake clicks within a short period of time. This method differs from click redirection, click hijacking and click injection in terms of execution and objectives and focuses on artificially inflating the number of clicks. Click flooding attacks generate a large number of clicks but do not result in actual installs or desired actions. In Click flooding scenarios, the time from click to install can exhibit unusual patterns such as prolonged CTITs or abnormally low conversion rates. Click flooding scammers manipulate attribution patterns by artificially inflating touchpoints to gain undeserved credit.
☑ Duplicate IP
Duplicate IP addresses fall into a broader category of click fraud than click redirection, click hijacking, click injection, and click flooding. In this scheme, fraudsters manipulate clicks or attribution data by creating a duplicate IP address when multiple clicks or actions are logged from the same IP within a short period of time. Using a duplicate IP address, using bots or a network of devices, fraudsters simulate more clicks and actions, making it appear that the interaction is coming from different users.
Installation fraud refers to actions designed to artificially increase the number of installed applications. Fraudsters use various methods to manipulate installation data, tricking advertisers and ad networks into paying for those that are not the result of actual user interest or participation. Device Farms and emulators are used to manipulate installation data and deceive attribution systems and advertisers. The main methods commonly associated with installation fraud are:
Device ID reset fraud. This method manipulates the unique identification numbers associated with mobile devices (IDs). Fraudsters reset or change device IDs to create the illusion of multiple installations from different devices, thereby inflating the number of installations. This allows them to leverage ad networks and attribution platforms because their fraudulent activities appear genuine and are difficult to distinguish from normal installs.
App Spoofing. App spoofing involves creating fake versions of popular apps. Scammers disguise their apps as real apps by tricking users into installing them. These fake apps contain malicious elements or hidden adware that generates fraudulent clicks, shows, or interactions within the app, ultimately benefiting the fraudsters at the expense of advertisers and genuine owners.
Also through spoofing, the fraudulent app falsifies or misrepresents the app information sent in the bid request. This allows fraudsters to portray apps with high value by artificially inflating the price per thousand impressions (CPM) and thereby misleading ad networks and demand sources. In a similar vein, Location spoofing is often used, which not only helps fraudsters avoid detection, but also allows them to target or redirect users based on desired geographic profiles. Fraudsters intentionally misrepresent location data, including latitude and longitude coordinates, manipulating the bid string to create false geographic patterns and forcing advertisers to pay higher prices for users who may not fit the intended targeting criteria.
Attribution Fraud & SDK Tampering
Attribution is necessary to accurately determine which advertising source or channel should be credited for a particular user action, such as an install or in-app purchase. However, fraudsters use a variety of deceptive techniques to distort attribution data to improperly take credit for user actions and conversions, using methods such as the aforementioned click injection (attribution window hijacking), click hijacking (artificially inflating attribution rates), or click flooding. The most typical types of attribution fraud are SDK Hacking and SDK Spoofing.
SDK Hacking — manipulation or spoofing of mobile application software development kits (SDKs). One common form of SDK hacking is placing unauthorized advertisements in an app. Fraudsters can interfere with the SDK to force the display of excessive or intrusive ads, disrupting the user experience and potentially generating illegal clicks or ad impressions. Additionally, attackers can modify the SDK to surreptitiously collect sensitive information, such as personal data or device identifiers, without the user’s knowledge. Applications with open source or low-security SDKs are more likely to suffer from such attacks because their SDKs are easier to hack, mimic, or reconstruct.
SDK Spoofing involves masquerading or impersonating a legitimate SDK in a mobile app. This can be done by changing the code or configuration of the app, replacing the genuine SDK with a fake or malicious version. The fake SDK mimics the behavior of the original SDK, creates fake events and data that appear genuine to ad attribution systems. This leads to false attribution and inflated performance metrics. Also, the fake SDK may include additional malicious features or collect sensitive user information without consent.
SDK Hacking can be used in conjunction with DNS spoofing (spoofing the domain name in attribution links) to redirect users to fraudulent websites or to interfere with the normal functioning of an application. For example, an attacker can use DNS spoofing to redirect application traffic to a malicious server hosting a fake SDK, resulting in unauthorized actions or data leaks.
Display Ad Fraud
There are several common forms of mobile ad fraud that use the ad placement and display process to create illegal ad impressions or clicks.
Ad Stacking occurs when multiple ads are placed on top of each other in the ad placement area of a mobile app, with only the top ad visible to users, and a click or impression is registered for each ad in the stack, causing advertisers to pay for fake impressions and clicks. Stacking uses:
- Layering technique: fraudsters overlay multiple ads on top of each other using transparent or nearly transparent elements. This technique aims to make the stacked ads virtually invisible to users, but generate ad impressions in the background.
- Ad refreshing: fraudsters implement automatic ad refreshing at a high rate by cycling through the stacked ads. This method artificially inflates the number of ad impressions, creating a false impression of higher engagement and ad effectiveness.
Ad Injection involves the unauthorized insertion of ads into a mobile app without the publisher’s consent. These embedded ads are usually layered on top of legitimate content, disrupting the user experience and redirecting revenue from the legitimate publisher to the rogue publisher through malware and adware plugins.
Pixel Stuffing is used to place a tiny 1×1 pixel block on top of a regular ad using iframes, making such ads invisible to users, but they still register as display.
Fraudsters are constantly on the move, looking for gaps and loopholes to steal advertising budgets, as advertising today comes in a variety of formats, with substantial sums being spent.
Initially, advertisers relied on the CPI model, paying publishers for each app install. However, fraudsters started targeting CPI campaigns by generating fake installs or capturing real ones through Click flooding, Click Injection, Device Farms and so on. To solve this problem, advertisers switched to pay-per-action (CPA) campaigns, focusing on in-app events and user engagement. For a while, it was thought that CPA campaigns would protect against fraud and attract higher quality users, because affiliate networks offer advertisers the advantage that they only pay for actual results such as bids, purchases, and installs.
Unfortunately, attackers have adapted and snuck into this model with their fake apps, banned traffic sources, stealing leads and using sophisticated bots to fake events, especially focusing on gaming apps and in-app purchases in various verticals. CPA campaigns have become even more attractive to fraudsters because there is more money to be made from them, as payouts for specific actions are typically higher.
That said, fraud activity in CPI campaigns is still not decreasing: between January 2022 and February 2023, mobile app fraud, including pay-per-install (CPI) fraud, was valued at about $2.05 billion in the European market and about $1.2 billion in the North American market (according to Statista).
Fraud in mobile is a serious problem that requires the attention of advertisers and marketers, as well as ad networks and publishers, as all parties-partners in the digital marketplace-are affected. Understanding the different types of fraud we described above is critical to developing effective strategies to combat them.
In our next article, we’ll take a look at the current mobile ad fraud defense landscape, share insights from our team of experts at Mobio Group, and assess the latest advances in fraud detection and prevention techniques to protect your advertising budgets and ensure successful campaigns.
Stay tuned for our next article, where Mobio Group equip you with the tools and information you need to stay one step ahead of fraudsters and protect your mobile ads investment.