Dealing with the Complexity of Fraud Attacks in Mobile Application Fraud

Every mobile app company aims to onboard new app users and have their apps reach the top of the charts on app stores. Mobile app companies use several marketing strategies to achieve these goals. However, it is frustrating for these mobile app companies to find that many of the app installs generated from their ad network campaigns are fraudulent — making their marketing expense a sunk cost. In what is referred to as “User Acquisition Fraud”, fraudsters trick advertisers into spending money on fake users and fraudulent traffic. This type of fraud often involves the generation of fake downloads and installs via automated tools or cheap human labor. 

Tools and Techniques Used in User Acquisition Fraud

To make this profitable at scale, fraudsters use a variety of tools and techniques such as malicious apps, mobile device emulators, and install farms. 

Malicious Apps

Some fraudsters create malicious apps which are published on multiple app stores. Once a malicious app is downloaded and installed, it will generate fake clicks that appear to originate from the website of the malicious publisher. The malicious app detects when other apps are downloaded on the device, and then injects clicks after the downloaded is completed, but before the app is installed. These click injections allow fraudsters to receive credit and payment based on fraudulent installs.

Malicious apps often generate massive levels of click spam, clicks that are executed by fraudsters but appear to be made by legitimate users. Click injections and click spam allow malicious publishers to hijack legitimate app users. 

Device Emulators

Many fraudsters are using device emulators to simulate numerous disparate mobile devices which can then be used to download and install apps. Emulators give the appearance that the installs are from new devices and legitimate users. 

One common form of fraud that involves device emulators is DeviceID reset fraud. Fraudsters create huge farms of mobile devices that are used to install apps, enable ad networks, and then receive payments from advertisers using a CPI model. They use emulators to reset the Device IDs of mobile phones constantly. These reset Device IDs give the appearance that every app install is from a new phone, even if thousands of installs all come from the same device. AppsFlyer estimates that advertisers globally lost $1.1-$1.3 billion in 2017 due to DeviceID reset fraud.

Install Farms

Some fraudsters build install farms which consist of physical locations loaded with mobile devices and low paid human workers. Fraudsters often use a combination of cheap human labor and bot-based scripts to generate activity that emulates legitimate users- e.g. downloading and installing apps, clicking on mobile ads, opening apps, interacting with apps, resetting Device IDs, and changing IP addresses. Install farms allow scammers to commit UA fraud on a grand scale. 

User Acquisition Fraud is Difficult to Detect

One of the biggest reasons user acquisition fraud is difficult to detect is that fraudsters are becoming increasingly adept at emulating the behavior of legitimate users. Once a mobile app is installed, the fraudster will ensure that there is engagement with the app, often via install farms. 

Another reason user acquisition fraud is difficult to detect is that many companies have fraud prevention systems that look at individual user attributes (e.g. email address, user device) instead of users and user behavior as a whole. For example, an instance of user acquisition fraud could involve 50,000 fake users downloading and installing an app at once. A rules-based system will likely give all these fake users a pass because fraud rings use pass/fail responses to figure out the rules boundaries. The rules boundaries can be easily circumvented if they are not updated frequently.

To detect user acquisition fraud, a fraud prevention system must use a holistic approach- it must look at all user activity and behavior instead of one user or one event at a time. The 50,000 fake users could have common attributes like device type, domains coming from the same IP, and similarly formatted email addresses. 

A Problem That Can’t Be Ignored

User acquisition fraud is a massive problem impacting advertisers in countries around the world.  However, new and cutting-edge technologies such as unsupervised machine learning can address the pain points. 

DataVisor is the leading AI-based fraud detection platform that proactively identifies and stops emerging fraud patterns without using historical loss labels for mobile user acquisition, internet properties, and financial services. It is helping the world’s largest mobile apps stop millions of dollars of fake installs, promotion abuse and in-app purchase fraud. Its Unsupervised Machine Learning (UML) Engine views thousands of account and event attributes simultaneously to link together correlated activity into malicious campaigns – allowing it to detect suspicious activity even as fraudsters evolve and change their attack patterns.   

Learn more about UA fraud in our Threat Labs Report here: “The Underworld of App Install Advertising”.

Sean McDermott

Sean McDermott

Sean leads the social commerce sales efforts at Datavisor, a cutting-edge fraud detection platform based on AI and machine learning. As a sales manager with over 12 years of experience in sales, Sean is adept at selling complex and sophisticated technologies. In the last 5 years, he has focused on selling Enterprise AI Fraud Products, quickly gaining expertise in different machine learning techniques including supervised, and unsupervised for the data science buyers.
2018-11-01T16:54:22+00:00 November 1st, 2018|Threat Blogs|