Fraud follows the money, but it also picks the low-hanging fruit.
Although Methbot was a fairly sophisticated operation, fraudsters are generally lazy, said Augustine Fou, a cybersecurity expert and independent ad fraud researcher.
“The general principle is that bots are not going to work harder than they need to,” Fou said. “If they can get by easy defenses and make money, they’ll do that, and if it’s lucrative to pretend to be iOS to earn a CPM, they’ll try it.”
With little fear of accountability or reprisal, they’ll throw click spam and fake install attempts against the wall until something gets through. If it works, they get paid. If it doesn’t, they try something else.
A recent report by mobile ad network ClicksMob claims that iOS is 50% more likely to get hit with fraudulent traffic than Android, a finding that contravenes conventional wisdom. ClicksMob CEO Avishai Shoushan attributes the conclusion to the higher payouts available on iOS. Advertisers are willing to pay more to acquire and retain iOS users, and higher ad budgets are like honey to the fraudster’s bee.
But, by and large, iOS is just as vulnerable as Android to the classic forms of mobile ad fraud (fake or low-quality traffic, non-visible ads, bot farms, fake clicks). Android’s open-source operating system, however, has far more features for fraudsters to exploit than iOS’s closed ecosystem, said John Koetsier, a mobile economist at app analytics and attribution company Tune.
Tune identified 22.4 million suspect mobile conversions in January for just one of its brand customers – 69% of which occurred on Android. Twenty-six percent happened on iOS.
Android is also uniquely vulnerable to click injection fraud, in which an ad network takes credit for organic app installs.
“At a system level, Android broadcasts new app install alerts to other installed apps, which is a good thing for app integration and interoperability,” Koetsier explained. “But a fraudster’s app that sees this can immediately claim credit for the install.”
Click injection is “like a surgically precise way of doing click spam,” said Andreas Naumann, a fraud specialist at app analytics and measurement company Adjust.
Naumann noted that click injection on Android is on the rise – and it’s a type of fraud not possible to perpetrate on iOS. Whereas on Android any developer can listen to what’s happening on a user’s device, iOS developers who want their app to communicate with other downloaded apps need to provide a list of those apps to Apple in advance when originally submitting their item to the App Store.
There is, however, one way for fraudsters to game iOS that doesn’t exist on Android, and that’s Limit Ad Tracking fraud.
When a user opts out of ad tracking on Android, marketing platforms can still see the Google ad ID and a flag in the back end that the device should not be targeted with ads.
But when a user opts out of ad tracking in iOS 10, Apple sends back a hashed identifier, basically a string of zeroes, rather than a unique advertising identifier. Without an IDFA, ad networks and attribution platforms aren’t able to track or target users.
That makes it more difficult to recognize patterns and look for anomalies, said Matan Tessler, director of product at AppsFlyer.
“If a single device generates multiple installs attributed to the same ad, that looks like fraud, and it’s difficult to see on iOS because you don’t have a device ID,” Tessler said.
But Limit Ad Tracking fraud is somewhat, well, limited, Naumann said. It’s mostly an offshoot of incentivized offers. For example, if Game A gives its players the chance to earn premium currency by downloading Game B and those players have LAT activated, they can keep installing and uninstalling Game B over and over to earn more credit in Game A without being caught.
“It’s less a fraud scheme and more like piracy,” said Naumann, who noted that ad networks can get around that issue by using their own internal identifiers, and Apple is generally OK with it as long as those identifiers aren’t shared.
Ultimately, red flags abound for fraud on both iOS and Android – and focusing on the operating system is a red herring.
“The bigger problem is that the industry needs more common sense,” Naumann said. “We need to ask questions rather than focus on the OS.”
Questions related to ROI and the bottom line, said Tune’s Koetsier.
“The best defense for advertisers when it comes to mobile ad fraud is trying ad spend to revenue,” he said. “Rear-view metrics like taps, views, app installs and even form fill-outs can be gamed. It’s much, much harder to game actual money in the bank.”