A version of this post also appeared on Mobile Advertising Watch.
The mobile app landscape is extremely competitive. With more than three million apps available today in the major app stores, a new app has slim chances of standing out and making it to the top of the charts. Install ad campaigns are increasingly popular (if not necessary) for app marketers. But install fraud is an increasing problem.
In 2015, mobile app-install ad spending reached $3 billion, making up 10 percent of all mobile ad spending and increasing at 80 percent per year. In the U.S., mobile app install ad spending is projected to be $9 billion by 2018 — a 438 percent increase in four years, compared to 203 percent for overall mobile ad spending.
Percentage increase in ad spending, compared to ad spending in 2014.
These pay-per-install and pay-per-engagement ad campaigns allow marketers to track their return on investment (ROI) more accurately. Traditional advertising models based on impressions or clicks have long been plagued with spoofed traffic from automated software, with fraud reported to be as high as 80 percent. Now, by paying only when the app is installed for the first time or when a newly registered user launches the app multiple times, marketers effectively raise the bar for install fraud because it is much more difficult to spoof app installs or simulate active users.
Not to be outdone, online criminals have quickly adapted to follow the money. After all, the average payoff for an install can be 430 times more than an impression. Online criminals deploy multiple advanced techniques to commit ad fraud, including:
- Malicious apps: Malicious apps can spoof legitimate apps (e.g., by modifying app headers to pretend to be a known legitimate app) to trick users into installing them. They then hijack the mobile device to download and install additional apps without consent from the user.
- Install farms: Human workers can be hired to commit install fraud by manually install/uninstall, launch, and interact with apps. Such human “sweatshops” (as shown in picture on right) charge app developers tens of thousands of dollars for a spot in the top app rankings.
- Mobile device emulators: Mobile emulators allows fraudsters to simulate a large number of distinct mobile devices on the same hardware. Each of these simulated devices can download and install apps while appearing as a new device.
From our experience, install fraud rates vary significantly across media and ad campaigns. A small fraction of them are quite clean. The average fraud rate per ad campaign is around 5-20 percent, while in some extreme cases over half or all of the acquired installs are entirely fraudulent.
Are Your Installs from Real People?
So what does install fraud look like in the real world? In an attack the DataVisor team observed in the wild, there were hundreds of fraudulent app installs associated with different Android IDs, with each Android account installing the exact same two apps. More than 30 different Android device models were used in this attack (see figure below), with each install performed with a different device ID and cookie ID to appear as distinct, unique installs.
Distribution of device models used in an install fraud campaign.
The Rise of Engagement Fraud
As marketers have grown less trusting of “per install” incentive ad campaigns, they have increasingly used campaigns that pay for active users rather than simply installs. However, fraudsters have been quick to adapt to exploit this compensation model as well. In a pay-per-engagement ad campaign for a mobile game app, the DataVisor team discovered thousands of fraudulent installs from residential networks located all over the U.S., where all of the users actively used the app multiple days following the install.
This would appear to be legitimate activity, except that subsequent activities from those users were all from the same IP subnet located in Southeast Asia. For the two weeks following the initial install, all of those users consistently logged in every day, allowing the fraudulent ad channel to claim user acquisition fees for what were really dummy accounts.
Map of IPs from a distributed install fraud campaign. The installs were performed from IPs in the U.S., while subsequent user activities in the app were all from the same IP subnet located in Southeast Asia.
The table below shows events logged by the game app for one of these fake users. The user installed the game app and registered for an account from the U.S., but subsequently logged in from an IP address located in Southeast Asia once per day over the next few days. It is likely that the fraudsters leveraged proxies for the initial install, such that they can pose as users from the targeted demographic in the U.S.
The Ad Fraud Arms Race, and What You Can Do About It
As advertisers and ad platforms adopt more sophisticated tracking technology and pricing models to drive performance, fraudsters are also becoming increasingly experienced at mimicking the behavior of real users to game the system. Compound this with the fact that fraudulent activities are often intermixed with legitimate activities, it means traditional fraud solutions that rely on IP/device reputation or blacklists are woefully ineffective today.
But all’s not lost, and there are ways to fight back. App marketers should adopt a pricing model that matches their advertising goals. When mobile apps focus on user retention and other post-install activities, they are more likely to reduce the rate of fraud.
In addition, seek advanced solutions that can adapt to constantly changing attack patterns. Ad fraud is a security issue coming from organized attack campaigns, and so should be treated accordingly – as more than a data problem. The real challenge is in distinguishing fraudulent traffic intermixed with legitimate activities, which requires not only big data tools, but also security domain expertise.
With so much money to be made (and stolen) in the ad industry, fraudsters are going to continue to find ways to get paid. Make sure you’re doing everything you can so that their next payday is not on your dime.