Rovio Is Mad As Hell About Fraud And It’s Not Going To Take It Anymore

RovioAdjust“Angry Birds” maker Rovio Entertainment knew the sheer size of its user acquisition tactics was making it a sitting duck for ad fraud.

“With a name like Rovio, the ad exchanges see us as having big potential for them,” said An Vu, Rovio’s user acquisition lead. “They often want to sell us a lot and then they actually deliver very little.”

Because fraudsters, as ever, follow the money.

“The clients with the most aggressive user acquisition strategies are paying higher CPIs,” said Andreas Naumann, a fraud specialist at app analytics company Adjust, which launched a suite of anti-fraud tools in February used by Rovio, HotelTonight and a number of other high-profile app publishers. “And that makes them the biggest targets.”

Adjust’s fraud solution blocks payment on bogus purchases and rejects payouts on fraudulent traffic coming from data center IPs and other spurious sources. Adjust also analyzes groups of acquired users in the aggregate to stop bad actors from faking background clicks on organic traffic, thereby claiming credit and getting paid for clicks they had no part in generating.

A blacklist isn’t going to catch that kind of stuff, Naumann said.

“They hide in networks and exchanges and dump companies every couple of months,” he said. “If you cut off a network, the bad actors just jump ship and come back again in a matter of days or even hours under a new name.”

Before hooking up with Adjust, Rovio noticed a fair amount of that sort of fishiness.

In one case, Vu and her team spotted what she called “a serious case of click stuffing” from a network. Two days into the campaign, there was a conspicuous dip in Rovio’s conversion ratio – the number of clicks connected to sales – through iTunes Connect. The issue was traced back to the problematic network when Rovio noticed that the day the conversion rate started dropping was the same day that network started delivering traffic to Rovio.

Rovio was able to catch it by staying vigilant. But manual detection can’t possibly keep up with everything.

“If we were looking at cost per install only, we would never notice this,” Vu said. “But [we] are careful about our entire funnel starting from impressions all the way down to deep post-install events, and if something looks funny anywhere in that chain, we will notice.”

The app publisher/ad network relationship isn’t always the greatest. In another recent example, Rovio was running a big burst campaign during the holiday season in an effort to break into the charts in Canada. Rovio was looking to hit particular benchmarks, and a network it had worked with before told Vu it wouldn’t be a problem.

But it was. “Afterward, we found out that 90% of our installs came from three IP addresses,” Vu said. “That was a blatant example of fraud coming from a seemingly trusted network.”

It’s not uncommon, said Naumann – and he has firsthand experience of what goes on behind a publisher’s back. Before joining Adjust in January, Naumann cut his teeth at different performance networks, including Glispa, Trademob and Zanox.

“Networks are completely aware of what’s going on,” Naumann said. “Networks are not usually directly involved, but they know what’s happening and they take the short, secure route to revenue.”

There’s a bit of a Catch-22 going on. If networks proactively cut down on fraud, their volumes go down. But publishers have certain growth expectations, and if a network’s volume goes down, it can’t meet those expectations. So networks push on, regardless of the threat of fraud.

“For a company like Rovio, that’s going to result in a lot of money going to waste,” Naumann said. “It’s why we focus on cutting the cash flow to the network or the fraudulent source before they get paid.”

Without automation, that turns into a hugely time-consuming process even for a player as big as Rovio. It’s why Rovio hooked up with Adjust.

“[This] is saving our business intelligence team from having to manually dig through server logs to look for fraudulent behavior, especially when working with many different networks and determining which ones to cut,” said Vu. “By doing this programmatically, we can have more confidence in the data, and we can go big and not hold back in our ad buy experiments. It’s more than just preventing the bad install – it’s an insurance policy when working with new partners.”

Rovio is taking an active approach to fraud prevention, but a publisher simply is not able to have full visibility into traffic sources. The whole buyer beware thing doesn’t fly, Naumann said.

“There’s no way for the client to make 100% sure where the traffic is coming from, and most networks have no clue where it’s coming from either unless they have a proprietary source,” he said. “But what clients do need to do is educate themselves so they know what the red flags are. They need to make sure they aren’t running blindly into traps.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!


  1. Bravo to Rovio. I’ve talked with anti-fraud teams at a couple of big DSPs and SSPs over the last couple of weeks. The first thing suggested, even before we discussed the tools used to play whack-a-mole with the crooks, was that advertisers need to push the invoices for theft back. We can all talk a good game about having standards, using high-tech tools and the like. But in the end, it’s only money that talks. Audit your funnel and refuse to pay a single penny for anything that even looks remotely strange–using advertiser-set standards, not specious industry benchmarks or best practices.

  2. Adjust is heaven for fraudulent activity and looks like they are panicking after most of their clients been hitted badly with fraud.
    Since everyone have access to Adjust SDK source code, the bad actors where able to manipulate it and basically got rich with almost no effort. To make it worse, Adjust were charging for clicks. That was catch22 for them and they had no incentive to actually mitigate fraud.
    Another disaster is that Adjust don’t provide access to Raw data to their clients! Without this data, you need to trust the aggregated number to make payments to networks, with absolutely no tools to validate the installs you received from them.

    • Hi David,

      If you read the article above, you can see there are clients like Rovio who don’t share your opinion on adjust not taking a stance on cracking down on fraud. They also don’t share your opinion on the open source SDK – they can clearly see what they integrate within their apps.

      Is it a security risk though? Well, how it works is that there are two cornerstones that protect and verify the communication between the adjust SDK and our servers. The first is a “shared secret” methodology. We use a random, unique, and confidential app token to verify incoming traffic. This secret is compiled into your app. It’s hidden in the same way that a closed-source SDK hides its internal workings.

      The second is that all traffic is SSL encrypted end-to-end, and always has been – long before iOS made it a default recommendation.

      If we had been using a public ID like the iTunes App ID or the bundle IDs to identify an app, I’d see your point. But since we don’t, even if the secret was stolen, we would just change it. Thus far we’ve never had to.

      Raw data access is provided via our callbacks API. It is true that we don’t store individual device records to provide a CSV download. The reason for this is that it would be strictly questionable under standing European privacy directives. Typically, you would connect these callbacks to an S3 bucket or database that you control, and voila. Safe & secure (and legal!) raw data.

      As for pricing, you’re absolutely right that one of a few problems of the old pricing was that it could potentially have conflicted with the fraud initiatives we launched in Q1. I believe the model we apply since that time – where we only take paid installs and reattributions into account – is fairer and corresponds better to a share of marketing budget. That’s why we changed it. 🙂

      Hope that serves to clarify some of your concerns. If you have any further questions (and aren’t working for a competitor), happy to answer them either here or through

  3. Agreed, tracking click/conversion or even impressions/conversion is always the best approach to fighting fraud. But that does not mean that other methods are not useful (IP bloacklists, IAS/DV, in-house pattern detection etc…)