Unmasking App Fraud: Securing the Mobile Ecosystem | Mobio Group
As mobile technology evolves, new opportunities for user interaction and advertising business growth are opening up. However, with the increased popularity of mobile apps has come an accompanying dark side that needs attention: a surge in fraudulent activity. In this article, Mobio Group take a look at the alarming statistics of the rapid growth of app fraud and the ongoing confrontation between fraudsters and the digital ecosystem.
Statistics on the Increase in Fraud
Mobile fraud increased significantly in 2022. It is estimated that the projected monetary losses from fraud without proper protection amounted to $5.4 billion globally.
One of the factors contributing to the increase in mobile fraud was the release of iOS 14.5, which diverted the attention and resources of marketers, app owners and developers, and advertising platforms away from fraud protection measures.
In addition, limited marketing budgets have forced many businesses to seek out cheaper ad networks. These cost-cutting measures have often meant a trade-off in fraud protection.
It is also worth noting that due to improved detection systems, mobile fraud is being detected more frequently than ever before.
As a consequence, we are seeing a very worrying dynamic. If we compare the average fraud rate for the first six months of 2022 to the second half of the year, iOS app installation fraud is up 40%, Android fraud is up 46%. These statistics highlight the scale of the problem we face on both major mobile operating systems.
According to the Appsflyer report, the financial, shopping and casino sectors bear the brunt of mobile fraud, accounting for over 75% of all incidents. The financial sector alone accounts for nearly half of all fraud incidents in 2022, an impressive $2.6 billion. In the casino sector, which offers attractive CPI payouts, fraud levels have been steadily rising, giving it an unfortunate reputation as the most vulnerable category — a $1.2 billion risk amount in the casino and betting category.
The shopping category has also seen a significant increase in illegal activity, with iOS fraud levels up 210% year-over-year and a risk amount of $406 million.
Against these alarming trends, the gaming industry stands out as a beacon of resilience — apps in this category maintain a relatively low fraud rate, a fraction of what is seen in non-gaming apps (just 1/6th). Through a long history of anti-fraud, the use of data analytics and post-installation value optimization, gaming apps have been able to mitigate fraud and minimize risk.
An analysis of the top markets for each mobile platform revealed some interesting results regarding fraud rates in different regions, while emphasizing the global nature of the problem.
When it comes to Android, Mexico leads the way with a significant fraud rate of 34%. Vietnam follows closely behind with 21%, while India and Russia report rates of 15% and 11% respectively. Surprisingly, even the UK, known for its strict security measures, experienced an unexpectedly high fraud rate of 21% on the Android platform.
Switching to iOS, we see that Russia has a fraud rate of 18%, while India is slightly higher at 20%. Mexico and Vietnam follow suit with rates of 19% and 28% respectively. Again, the United Kingdom tops the list with a fraud rate of 23%.
It’s worth noting that the United States, despite its robust technology landscape, has a relatively high iOS fraud rate of 8.8%. In Australia, the figure reaches 11.3%.
Fraudsters vs. Users
As smartphones continue to grow in popularity, fraudsters are not lagging behind, adapting their tactics just as quickly. In the past four years, in-app fraud has tripled. While social engineering, scams and credential resets have been around for a long time, fraudsters are innovating on these techniques. As millions of new users embrace online and mobile banking, often with little experience with these platforms, they become prime targets for social engineering and fraud attempts. Attackers use a variety of tactics and techniques to deceive and exploit mobile users, leaving a trail of financial losses and leaked personal information.
UK regulator Ofcom (The Office of Communications) has published the results of online fraud research conducted by Yonder Consulting:
Fake apps have become a widespread threat in the digital landscape. This is an app created to duplicate a legitimate counterpart available on the App Store or Play Market that people will mistake for a popular app and download to their phones. FraudWatch International reports that it is not uncommon to see several hundred iterations of the same fake mobile apps that generate significant revenue for their creators.
The main malicious activities targeting mobile users are:
- Phishing. One common method of deception is phishing, where fraudsters impersonate legitimate organizations such as banks, online marketplaces, or social media platforms and force users to divulge sensitive information such as passwords or credit card details. These phishing attempts often take the form of deceptive emails, text messages, or fake websites and apps that look very similar to the real thing. Fraudsters can use personal information obtained through data breaches or social media profiling to personalize their illegal activities, adding a level of authenticity that can fool even the most vigilant users.
- Stealth Malware. The distribution of malware-infected apps. These apps may promise attractive features or offer exclusive content, but once installed on users’ devices, malicious apps cause significant harm to unsuspecting individuals, ranging from identity theft to silent subscriptions to premium services.
- The placebo. User pays to download a fraudulent app, the scammer embezzles the money.
- Apps packed with Adware. Automatically floods the unsuspecting user with hundreds of pop-ups with ads to gain access to lucrative ad revenue (this usually does not create a shortcut icon on the home screen, making the app very difficult to find and uninstall).
Authorized payment fraud (APP) losses are predicted to increase significantly in the UK, India and the US, reaching an impressive $5.25 billion (£4.44 billion) over the next four years. According to a report by ACI Worldwide, a leading payment software provider, and analyst firm GlobalData, the compound annual growth rate over this period will be 21%.
In the UK in particular, the app fraud situation has become a cause for concern. In 2021 alone, the amount of losses from misconduct amounted to a substantial $789.4 million. An important development in this regard is the UK government’s initiative to protect mandatory customer reimbursement in cases of app fraud. The announcement was made during the Queen’s speech at the opening of Parliament in May 2022. To enact this change, the government intends to use the Financial Services and Markets Act to amend the Payment Services Regulations 2017. Currently, these Regulations provide that if a payment is made based on a unique identifier provided by the customer, such as an account number and sort code, the payment service provider is deemed to have correctly processed the transaction.
Fraudsters vs. Stores
Until recently, the app approval process on platforms such as Google Play or the App Store was a lengthy and largely manual process. In an effort to speed up release cycles, app stores have simplified and automated the process on their platforms. But in turn, fraudsters have found that this faster and simpler process is much easier to hack.
In the mobile community, you often hear about legitimate app publishers having trouble publishing their apps, and indeed they encounter serious issues. But we quite rarely hear about the positive side of the submission and verification process in the App Store or Google Play Store, and that’s what keeps a huge amount of fraud at bay.
Apple claims to have removed 282 million fraudulent customer accounts, 428k developer accounts, and blocked 3.9 million stolen credit cards and fraudulent transactions worth more than $2 billion in 2022, removed nearly 24k apps, another 153k were copycat or spam apps, and 29k contained hidden or undocumented features. Apple also checked more than 1 billion ratings and reviews for possible fraud and removed more than 147 million of them.
Google also has a zero-tolerance policy for fraud, actively pursues it, and can sue the app developer. Some pretty well-known apps have been removed from Google Play, such as Quick Note, Insta Downloader, Ez Notes, Doubleline.calculate, Joycode, BusanBus, 8K-Dictionary, Smart Task Manager, High-Speed Camera, and others.
Starting in 2022, the Google Play Store is independently verified by the Mobile App Security Assessment (MASA) of the App Security Alliance. Compliance (MASVS) after verification is indicated by an icon in the corresponding security section of the app data.
Fraudsters vs. Apps and Mobile Ads
There are many types of fraud in the mobile sphere, but all of them have the same goal — to profit by attribution and artificially inflating paid actions (clicks, impressions and conversions). Fraudsters try to manipulate attributions and impressions and trick advertisers and ad networks into paying them. And admittedly, the number of these attempts is growing at an alarming rate. If we examine the data for January 2023 compared to the same period the year before (YoY), the increase in fraud on the Android platform was 31% and on iOS — 76%.
The release of Google Privacy Sandbox, as in turn iOS 14.5, may divert the attention of app owners and developers, marketers and advertisers from the growing threat of fraud. However, these statistical reports clearly indicate that more resources should be devoted to developing and creating preventative measures against installation fraud and post-attribution fraud.
The damage of fraud is felt by all actors and players in the marketing ecosystem. Attribution hijacking and fake installs drain the budgets of advertisers, ad networks and publishers alike. Almost all advertising platforms and networks have their anti-fraud defenses in place, including a suite of technologies and reports that help detect fraud in mobile ads.
However, in order to intelligently utilize the data contained in the reports of anti-fraud systems, you need to navigate the types of fraud that mobile apps can be exposed to. In our next article, Mobio Group will look at the main types and schemes of mobile advertising fraud and how to detect and block it.
