Anatomy Of Mobile Ad Fraud: Web Vs. App

This is the third in a series of deep dives from AdExchanger on mobile fraud and mobile data quality, including guides to fraud tactics and threat vectors and practical solutions from advertisers in the growth and user acquisition trenches. Read the first story (“2018 Will Be A Year Of Reckoning For Mobile App-Install Fraud“) and the second (“Mobile Data Has A Quality Control Problem“).

Marketers are spending more than ever on mobile, and fraudsters are hot on their heels.

But which channel is more susceptible to ad fraud – apps or the mobile web? Is app-attribution fraud a bigger problem than impression fraud?

The answers are more complicated than either/or, yes or no.

That’s because bad actors commit fraud with one goal in mind: to make money. And they do this through a balancing equation of risk vs. effort vs. reward. If there’s a loophole, they’ll find it, mine it and move on when it’s no longer profitable.

“It all comes down to the ease of theft, coupled with the payoff and combined with the fraudster’s skill set and access to technology,” said Rich Kahn, CEO and founder of digital marketing firm eZanga. “The bottom line is they know how to get paid, and they’ll exploit anything they can get their hands on.”

Right now, that’s primarily apps. It’s where fraudsters are investing, so to speak. But mobile web fraud is still plucking cash from advertisers’ pockets.

A third of marketers estimate that more than half of their mobile ad budgets are exposed to in-app and mobile web fraud, according to a recent report from AppsFlyer.

“The amount of spend moving to mobile app is like a gravitational pull,” said Michael Oiknine, chief revenue and strategy officer at Singular. “But the reason mobile fraud in general is difficult to catch is because the fraudsters are smart, they’re sophisticated and that’s true on the mobile web or in apps.”

Here’s a quick and dirty guide to where the vulnerabilities are by channel.

Mobile web of lies

More than 90% of mobile ad spend is directed toward in-app, according to mobile SSP Smaato. Although fraudsters are busy trying to suck in-app budgets dry, fraud is still happening on the mobile web.

Mobile web fraud tactics are nearly identical to desktop fraud, making for an easy transition for bad actors already committing fraud on desktop, said Amit Joshi, director of product and data science at Forensiq.

As on desktop, fraudsters rely on botnets to do their bidding, most commonly click fraud, impression fraud, ad stacking and forced redirects. Fraud detection companies also rely on road-tested desktop techniques to root out mobile web fraud, including JavaScript and analyzing IP addresses.

“You’ll probably get caught after a year, but if you woke up tomorrow as a fraudster and wanted to drive revenue as quickly as possible, focusing on the mobile web would be the way to do it,” said Alexei Chemenda, CRO of apps and US managing director at Adikteev.

Apps behaving badly

But apps are a completely different animal. There’s no tag-based detection for the app ecosystem, and it’s pointless looking for botnets.

“The bad guys don’t need bots to commit app fraud,” said independent fraud researcher Augustine Fou. “All they need is an app.”

Apps loaded with malware that pose as legit apps can often be found for download in Google Play or the App Store. They may be children’s games, utility apps, sticker apps or a fake shopping app that looks like the real thing. Fraudsters also exploit bootlegged apps on pirate sites.

Their purposes range in nefariousness. Some serve pop-ups, load and reload thousands of impressions or watch umpteen videos in the background without the user’s knowledge. Others may serve as a Trojan horse for ransomware. Sometimes, the app knows to only load and reload ads when a device is plugged into power, so users don’t notice anything weird happening with their battery.

In other cases, an app might obfuscate its location to soak up dollars from advertisers looking to target tier-one countries, or it may purposely mislabel inventory to pass off incentivized traffic as non-incentivized traffic.

Bad credit

Apps are also vulnerable to attribution fraud, where a bad actor takes credit for driving an install or subsequent in-app actions.

Sometimes, mobile simulators or fake devices created in a data center download an app to steal credit and payment.

Other times, fraudsters use tactics such as click injection – a more surgical form of click spam –to insert themselves in the moment between a real download and the initial app open. This form of fraud is particularly insidious, because advertisers end up paying for their own organic installs.

But regardless of which channel is being exploited, the buying metrics used in the mobile space – CPM on the mobile web, cost per install in apps – might as well be rolling out the welcome mat for fraudsters, Fou said.

“Bad actors can generate millions of fake installs and get paid a bounty for doing it, and why?” he said. “Because they can demonstrate the specific action advertisers are paying for.”

Full-funnel fraud

That’s the whole point of fraud – duping advertisers with proxy metrics and spoofed signals – whether the KPI is to generate brand awareness or drive performance.

But sometimes the fraudster producing fake traffic to boost impressions on the mobile web is the same fraudster stealing credit for an app download. The fraud ecosystem is often “not so surprisingly linked,” said Forensiq’s Joshi.

“Vendors are either very focused on CPMs and the programmatic world or the cost-per-acquisition world, but a fraudster doesn’t say, ‘I have a botnet, so all I’ll do is generate traffic,” he said. “Fraudsters commit fraud end-to-end, across the funnel.”

Advertisers are vulnerable to ad fraud whenever they open their wallets. Say a bot loads 100,000 ads for a travel brand and then a user goes on to download that travel brand’s app organically. The more sophisticated fraudsters are ready to jump in and steal credit for the install.

But it’s not easy to suss that out. Tracking and attribution providers are fiercely competitive and not usually inclined to share information with each other, said Galia Reichenstein, US general manager at Taptica.

“There is a limit to the transparency vendors can and will share with each other,” she said. “But advertisers and vendors must work together to look at the big picture, cross-checking across multiple tools and data points throughout the funnel.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!