MOBILE AD FRAUD - AppsFlyer · $1.3 billion annually to mobile fraud (compared to $3.2 billion in desktop fraud), according to the IAB, whose study focused mainly on fraudulent and

MOBILE AD FRAUDW H AT Y O U N E E D T O K N O W

N O V E M B E R 2 0 1 6

Intro

Attack

Counterattack

Industry Perspectives

A Final Thought

3

4-6

7-11

12-15

16

ON THE AGENDA

2

As mobile has taken our lives by storm, the mobile advertising market has also

taken off. Global mobile ad spend this year will hit a staggering $105 billion,

eMarketer predicts. By 2019, that number is expected to reach nearly $200

billion.

The bad news is that wherever there is money, there are bad guys looking for

a piece of the pie. And it’s a growing piece of the pie with an estimated loss of

$1.3 billion annually to mobile fraud (compared to $3.2 billion in desktop fraud),

according to the IAB, whose study focused mainly on fraudulent and invalid

traffic. Zooming in on mobile app install and engagement fraud, we found an

estimated annual loss of up to $350 million.

The good news is that there are plenty of ways to fight back. It won’t eliminate

fraud entirely but it can definitely minimize your exposure. Also, mobile fraud is

no longer the elephant in the room among adtech vendors. The subject is now

increasingly raised across the mobile ecosystem, leading to more partnerships

and collaborations, which is an important step forward in the battle against

fraudsters.

INTRO

3

In a nutshell, fraudsters look for ways to adapt to KPIs advertisers focus on, and then

they try to ‘game the system’. That’s why the different types of mobile fraud are

often linked to the common pricing models. If we examine this as a funnel, there is

impression fraud targeting CPM (cost per mille), click fraud targeting CPC (cost per

click), install fraud targeting CPI (cost per install) and event (in-app) fraud targeting

CPA (cost per action).

Generally speaking, the deeper the funnel stage, the harder it is for the bad guys

to succeed. But since the financial reward associated with each pricing model is

highest at the bottom of the funnel (CPI and CPA), fraudsters also try harder, which

leads to an increase in fraudulent activity.

IMPRESSION FRAUDThis is a shady tactic by which publishers stack multiple display ads on

the same piece of real estate. The advertiser is then charged for multiple

views even though the user was only exposed to one ad. Although most

performance-driven app marketers who focus on user acquisition do not

run CPM campaigns, there are exceptions as some mobile ad networks only

offer CPM. Also, the red hot mobile video ad format with its high payouts is

primarily CPM-driven.

CLICK FRAUDThis black-hat technique is mainly perpetrated via an automated script

or a computer program (aka bots) that imitates a legitimate user, thereby

generating a massive number of clicks on ads in order to incur charges from

CPC ad budgets.

ATTACK

4

INSTALL FRAUDWith CPI being the most common pricing model in performance app

marketing, install fraud is also most prevalent. There are two main methods

to perpetrate install fraud:

1. Generating fake clicks and fake installs. This happens when install bots

mimic human behavior by simulating a device that sends a fake click and

then a fake install to the attribution provider. When the two are paired,

the attribution provider will typically credit the click source - in this case

most likely a fraudulent publisher that even the ad network does not

know about - with install attribution. The advertiser then pays the winning

network, which passes a portion of the payout to their publishers, which

ultimately make their way into the fraudster’s hands.

2. Generating a flood of fake clicks to randomly match subsequent

organic installs. This type of fraud requires a large scale operation that

can generate millions of fake clicks that otherwise appear legitimate.

Fraudsters can do this by using:

Randomly netting organic installs can then occur by defrauding the

attribution provider’s fingerprinting algorithm - the measurement

method that uses publicly available parameters (i.e. device name, device

type, OS version, platform, IP address, carrier, to name just a few), to

form a digital fingerprint ID that statistically matches specific device

attributes.

y Simulated devices

y Fraudulent apps running invisible ads in the background

of real devices

y Sending clicks from catalogs of real, collected device IDs

ATTACK

5

IN-APP (EVENT) FRAUDAs retention and engagement become the most valuable KPIs for app

marketers, the CPA pricing model is gaining popularity and with it fraudsters’

attempts to impersonate in-app activity. This can include simulating app

usage, playing a game or making fake in-app purchases (through a transfer

of virtual goods where no real money is being exchanged). Ultimately,

fraudsters seek to inflate the perceived value of their installs to make

it appear real, and justify further spend with a source that supposedly

delivered value.

ATTACK

For example, let’s assume a user installs an app organically from a certain

IP, with a Samsung Galaxy 5 that has an OS version 6.0.1. In such a case,

a click from the same IP with the same device characteristics could trick

a fingerprinting algorithm into believing that this click led to the organic

install, leading the attribution provider to credit the ad network which is

most likely not even aware that the false click was generated by one of its

fraudulent publishers. When using a standard 1-day attribution window

for fingerprinting, it would be enough for an organic install to occur

within 24 hours after this fraudulent click to falsely claim attribution.

Randomly matching a click to an organic install can also happen by using

real, collected device IDs and then taking credit for organic installs

downloaded from a device with the same device ID.

6

PREVENT FRAUD BEFORE IT TAINTS YOUR DATAEfficient prevention is key. Ensuring fraud does not pollute your dashboard is of the

utmost importance. The main prevention methods include:

y Active IP, user agent and device ID filtering. Algorithms actively monitor

mobile ad interactions to automatically verify legitimate activity and catalog

suspect or mismatched IP addresses, user agents and device IDs

y Distribution modelling. Big data models are capable of detecting anomalies

such as mean-time-to-install (MTTI), geographic distribution, click volume

by IP address and device ID, user agent versus IP benchmarks and more.

As with any machine learning, scale of data is extremely important so the

larger your provider’s scale, the more data an engine can train on to deliver

effective results.

COUNTERATTACK

7

DETECT FRAUD THAT SLIPPED THROUGH WITH RAW DATA REPORTSOn-going monitoring for any data anomalies can detect fraud after the fact. This is

done by diving deep into raw data reports which include all install, engagement and

purchase data. With precise timestamps for every action and engagement, every

reported user action can be tracked.

ONLY RUN WITH NETWORKS YOU TRUSTThankfully, the ecosystem has hundreds of reputable and established sources.

You can start by exploring the networks in our performance index, but remember

each app is a world of its own and there are plenty of smaller networks that have

performed well for our clients.

Remember that if networks are integrated with a trusted mobile measurement

partner it means they have been properly vetted as well. If you’re not sure about it,

start with a test budget and make sure you’re getting good and legitimate results

before further investing.

COUNTERATTACK

y Device ranking. Important as they are, active IP filtering and distribution

modeling are usually not enough: IPs can easily be changed while distribution

models are slow to adopt and can be manipulated by fraudsters to match an

expected trend. That’s why a third critical layer of defense fights fraud at the

source - the device level. When an anti-fraud mechanism draws its signals

and learnings from a massive, cross-app database, the decision on whether

to label an install/event as fraudulent is based on a far wider data set.

y Install and in-app receipt validation. By connecting to the app store’s

servers to validate the legitimacy of an install or in-app purchase, illegitimate

activity can be filtered out before it inflicts any damage.

Ultimately, the most effective fraud protection systems will use a variety of signals to

create big data and machine-learning powered insights across publishers. As such,

additional layers of protection on top of rule-based and modeling components are

important to enhance effectiveness.

8

COUNTERATTACK

DEMAND TRANSPARENCYMake sure the networks you work with are transparent about their sources and sub-

sources.

Encourage those that aren’t to increase their level of transparency and tie it to your

spend. After all, it’s also in their interest to pinpoint the one fraudulent source to

enable a budget increase in all the other legitimate ones.

USE DIRECT PUBLISHERSWhen you work with direct publishers or with networks that have relationships with

direct publishers, you know where your ads are running. With no surprises, it’s unlikely

you’ll encounter fraud using these sources. But keep in mind it will be a challenge to

scale with only direct sources.

UTILIZE A MEASUREMENT PARTNER'S SDK PROTECTION A native and secure SDK uses security mechanisms like hashing and encryption to

make sure device installations and in-app events sent by the SDK are legitimate.

9

Germany

Russia

France

Brazil

Mexico

Argentina

UK

US

Canada

China

Japan

Korea

Thailand

Indonesia

Australia

VietnamIndia

COUNTERATTACK

TAKE NOTICE: FRAUD BY GEO VARIES SIGNIFICANTLY!Our recent study has shown that in general fraudsters follow the money trail. As such,

countries with the highest payouts are most targeted by bad actors (i.e. Germany,

Australia, US, UK, and China).

LAST BUT NOT LEAST: KEEP YOUR EYE ON THE BALL!Fraud can appear in different forms and shapes. Understanding what type of warning

signs to look out for is crucial to help minimize fraud. The following examples will

help you open your eyes to potential threats:

IP-related: y Large number of clicks / installs / unique identifiers from the same IP

y Different IP locations between the ad click and the install / first launch

* Device geo location is determined by the most common location of installs from that device

Share of Fraudulent Devices Out of Total Unique Devices In Top Markets*

High Fraud Rate

Low Fraud Rate

10

COUNTERATTACK

Consistency/patterns: y Click / install every 20 seconds

y Players / users from a specific source always drop off at the exact same

point in a game / app (e.g. before a game tutorial, before a registration)

y Large number of installs from the same device brand / model

Mismatches: y App versions different than versions available at the store

y Platform mismatches between ad click and install

y Geographic mismatches between ad click and install

Device ID-related: y Different identifiers for the same device

y Multiple IDFAs for a single IDFV (identifier for a vendor)

y IDFA / Google Advertising ID are not in uppercase or lowercase, as they

should be (respectively)

y Device ID numbers hold a consistent pattern

Other issues: y Appearance of GEOs not included in targeting criteria

y For in app events - if the value of the transaction does not exist in the app

y Device IDs increase at the same pattern

y Large volume of installs without data on carrier / city / country

Performance-related: y Sharp increase in install volume, a stark decline in day 1 retention

y Premium traffic performing like low quality traffic

y Suspiciously low pricing

y Extremely low conversion rates

y Extremely high uninstall rates

11

As part of series we ran on our blog we called ‘Talking Mobile Fraud’, we wanted

to hear the perspectives of different players in the mobile marketing space to the

state of mobile fraud: the network was represented by Pepe Agell, VP of Business

at Chartboost, the advertiser’s corner had Patrick Witham, the Senior Mobile User

Acquisition Manager with Product Madness, while the fraud vendor position was

filled by Johnny Thwaites, Head of International Performance Sales at Forensiq.

“Three years ago, mobile fraud was in single digits. Erring on the side

of caution I suspect that approximately a fifth of overall mobile traffic

is at some risk of fraud, while about 10% is at high risk of fraud.”

“Fraud poses a big threat to mobile marketers. It has existed since the

app industry first gained popularity, but has drastically increased in

the past couple of years.”

On the threat of fraud in the mobile space

“Fraud is growing in the mobile industry, and that UA Managers are

becoming more aware of this issue. In my opinion, the main driver of

fraud growth is that the rapid growth of our industry overall.”

ADVERTISER, NETWORK AND FRAUD PROVIDER POVS

12

“The primary type of fraud in mobile is user acquisition fraud, which

is centered around stolen attribution, fake installs and botnets.”

Most-encountered types of fraud

“Install fraud mainly — bots installing and uninstalling thousands

of times. I have also seen vendors misreport incentivized traffic as

unincentivized traffic, which may not be your typical fraud, but can

really distort your numbers.”

“Bot generated traffic is by far the most common type of fraud.

Bot activity can be extremely straightforward and easy to spot or

extremely sophisticated... As the degree of difficulty increases from

faked impression to faked install, so does the financial reward, which

is why install fraud is becoming so common.”

13

1) Work with trusted vendors only.

2) Always report back publisher ID or application ID internally so you

can look at retention by ID.

3) Work with vendors with direct publisher traffic.

4) Bonus: Work with vendors will full transparency and raw data exports.

How to fight back

“Pay close attention to your user metrics, and be careful who you

work with! Continue investing heavily in automated fraud detection,

and work closely with attribution providers to identify and stay on top

of industry-wide trends in fraud.”

1) Get a partner in place capable of picking out fraudulent activity as it

happens.

2) Get assurance from publishers that they are not buying third party

traffic and keep an eye out for suspiciously low pricing… Also, look out

for extremely low conversion rates as this may also be an indicator of

attribution fraud.

3) Demand transparency – if a network is not sharing their sources and

sub sources, request such information to be able to properly optimize

campaigns. Don’t buy inventory that is not sold transparently.

14

“I think there will finally be a company that is able to prevent this with

near 100% capability, and “clean up” the industry. This will either come

from the MMP side or another 3rd party.”

Mobile fraud 12-18 months from now

“With the increase of spend in mobile and the demand for more inventory,

fraud will increase. The release and implementation of the MRC’s IVT

guidelines will likely contribute to the standardization measurement

and definition of fraud over the next 18 months. We expect the IAB to

do the same. Having a fraud protection layer may become a standard

requirement as well.”

“Fraudsters will continue to adapt and evolve, and the market should

be prepared for that Investing now in automated fraud detection

with adaptable signals will pay off dividends as fraud becomes more

sophisticated.”

15

ABOUT APPSFLYERAppsFlyer is the leading mobile advertising attribution and marketing

analytics platform, allowing app marketers to measure the end-to-end

performance of their campaigns across over 1,600 integrated networks

from a single real-time dashboard. The company's comprehensive

Active Fraud Solution offers mobile marketers everything they need

to actively prevent mobile fraud. Among its 10,000 customers are

Alibaba, Baidu, Macy’s, Samsung, Playtika, IHG, Trivago, DeNA, and HBO.

AUTHOR - Shani roselfelderShani Rosenfelder is the content marketing lead at AppsFlyer. He has

over 10 years of experience in key content and marketing roles across

a variety of leading online companies and startups. You can follow him

on LinkedIn.

CO-AUTHOR - Daniel ZilberbergDaniel is the Product & Fraud Scientist at AppsFlyer. With over 7 years

of experience in the fields of data analysis, machine learning algorithms

and data anomalies, he excels at pinpointing key insights within big

numbers. Daniel holds a B.Sc. with honors in Mathematics & Statistics,

in addition to an MBA degree specializing in Finance and Accounting,

both from Tel Aviv University.

A FINAL THOUGHT

Mobile Advertising fraud is probably here to stay as it is a classic game of cat and mouse between the bad guys and the good guys. However, with proper measures and cross-industry collaboration, it is more than possible to marginalize its impact. With increased awareness of fraud, we are making mobile advertising better, en route to a goal in which advertisers only pay for ads that delivered real, measurable value.

16

DeviceRankTM

Introducing

The Next Generation ofMobile Fraud Protection

Discover The DeviceRankTM Advantage TodayLearn More at www.devicerank.me