MOBILE AD FRAUDW H AT Y O U N E E D T O K N O W
N O V E M B E R 2 0 1 6
Intro
Attack
Counterattack
Industry Perspectives
A Final Thought
3
4-6
7-11
12-15
16
ON THE AGENDA
2
As mobile has taken our lives by storm, the mobile advertising market has also
taken off. Global mobile ad spend this year will hit a staggering $105 billion,
eMarketer predicts. By 2019, that number is expected to reach nearly $200
billion.
The bad news is that wherever there is money, there are bad guys looking for
a piece of the pie. And it’s a growing piece of the pie with an estimated loss of
$1.3 billion annually to mobile fraud (compared to $3.2 billion in desktop fraud),
according to the IAB, whose study focused mainly on fraudulent and invalid
traffic. Zooming in on mobile app install and engagement fraud, we found an
estimated annual loss of up to $350 million.
The good news is that there are plenty of ways to fight back. It won’t eliminate
fraud entirely but it can definitely minimize your exposure. Also, mobile fraud is
no longer the elephant in the room among adtech vendors. The subject is now
increasingly raised across the mobile ecosystem, leading to more partnerships
and collaborations, which is an important step forward in the battle against
fraudsters.
INTRO
3
In a nutshell, fraudsters look for ways to adapt to KPIs advertisers focus on, and then
they try to ‘game the system’. That’s why the different types of mobile fraud are
often linked to the common pricing models. If we examine this as a funnel, there is
impression fraud targeting CPM (cost per mille), click fraud targeting CPC (cost per
click), install fraud targeting CPI (cost per install) and event (in-app) fraud targeting
CPA (cost per action).
Generally speaking, the deeper the funnel stage, the harder it is for the bad guys
to succeed. But since the financial reward associated with each pricing model is
highest at the bottom of the funnel (CPI and CPA), fraudsters also try harder, which
leads to an increase in fraudulent activity.
IMPRESSION FRAUDThis is a shady tactic by which publishers stack multiple display ads on
the same piece of real estate. The advertiser is then charged for multiple
views even though the user was only exposed to one ad. Although most
performance-driven app marketers who focus on user acquisition do not
run CPM campaigns, there are exceptions as some mobile ad networks only
offer CPM. Also, the red hot mobile video ad format with its high payouts is
primarily CPM-driven.
CLICK FRAUDThis black-hat technique is mainly perpetrated via an automated script
or a computer program (aka bots) that imitates a legitimate user, thereby
generating a massive number of clicks on ads in order to incur charges from
CPC ad budgets.
ATTACK
4
INSTALL FRAUDWith CPI being the most common pricing model in performance app
marketing, install fraud is also most prevalent. There are two main methods
to perpetrate install fraud:
1. Generating fake clicks and fake installs. This happens when install bots
mimic human behavior by simulating a device that sends a fake click and
then a fake install to the attribution provider. When the two are paired,
the attribution provider will typically credit the click source - in this case
most likely a fraudulent publisher that even the ad network does not
know about - with install attribution. The advertiser then pays the winning
network, which passes a portion of the payout to their publishers, which
ultimately make their way into the fraudster’s hands.
2. Generating a flood of fake clicks to randomly match subsequent
organic installs. This type of fraud requires a large scale operation that
can generate millions of fake clicks that otherwise appear legitimate.
Fraudsters can do this by using:
Randomly netting organic installs can then occur by defrauding the
attribution provider’s fingerprinting algorithm - the measurement
method that uses publicly available parameters (i.e. device name, device
type, OS version, platform, IP address, carrier, to name just a few), to
form a digital fingerprint ID that statistically matches specific device
attributes.
y Simulated devices
y Fraudulent apps running invisible ads in the background
of real devices
y Sending clicks from catalogs of real, collected device IDs
ATTACK
5
IN-APP (EVENT) FRAUDAs retention and engagement become the most valuable KPIs for app
marketers, the CPA pricing model is gaining popularity and with it fraudsters’
attempts to impersonate in-app activity. This can include simulating app
usage, playing a game or making fake in-app purchases (through a transfer
of virtual goods where no real money is being exchanged). Ultimately,
fraudsters seek to inflate the perceived value of their installs to make
it appear real, and justify further spend with a source that supposedly
delivered value.
ATTACK
For example, let’s assume a user installs an app organically from a certain
IP, with a Samsung Galaxy 5 that has an OS version 6.0.1. In such a case,
a click from the same IP with the same device characteristics could trick
a fingerprinting algorithm into believing that this click led to the organic
install, leading the attribution provider to credit the ad network which is
most likely not even aware that the false click was generated by one of its
fraudulent publishers. When using a standard 1-day attribution window
for fingerprinting, it would be enough for an organic install to occur
within 24 hours after this fraudulent click to falsely claim attribution.
Randomly matching a click to an organic install can also happen by using
real, collected device IDs and then taking credit for organic installs
downloaded from a device with the same device ID.
6
PREVENT FRAUD BEFORE IT TAINTS YOUR DATAEfficient prevention is key. Ensuring fraud does not pollute your dashboard is of the
utmost importance. The main prevention methods include:
y Active IP, user agent and device ID filtering. Algorithms actively monitor
mobile ad interactions to automatically verify legitimate activity and catalog
suspect or mismatched IP addresses, user agents and device IDs
y Distribution modelling. Big data models are capable of detecting anomalies
such as mean-time-to-install (MTTI), geographic distribution, click volume
by IP address and device ID, user agent versus IP benchmarks and more.
As with any machine learning, scale of data is extremely important so the
larger your provider’s scale, the more data an engine can train on to deliver
effective results.
COUNTERATTACK
7
DETECT FRAUD THAT SLIPPED THROUGH WITH RAW DATA REPORTSOn-going monitoring for any data anomalies can detect fraud after the fact. This is
done by diving deep into raw data reports which include all install, engagement and
purchase data. With precise timestamps for every action and engagement, every
reported user action can be tracked.
ONLY RUN WITH NETWORKS YOU TRUSTThankfully, the ecosystem has hundreds of reputable and established sources.
You can start by exploring the networks in our performance index, but remember
each app is a world of its own and there are plenty of smaller networks that have
performed well for our clients.
Remember that if networks are integrated with a trusted mobile measurement
partner it means they have been properly vetted as well. If you’re not sure about it,
start with a test budget and make sure you’re getting good and legitimate results
before further investing.
COUNTERATTACK
y Device ranking. Important as they are, active IP filtering and distribution
modeling are usually not enough: IPs can easily be changed while distribution
models are slow to adopt and can be manipulated by fraudsters to match an
expected trend. That’s why a third critical layer of defense fights fraud at the
source - the device level. When an anti-fraud mechanism draws its signals
and learnings from a massive, cross-app database, the decision on whether
to label an install/event as fraudulent is based on a far wider data set.
y Install and in-app receipt validation. By connecting to the app store’s
servers to validate the legitimacy of an install or in-app purchase, illegitimate
activity can be filtered out before it inflicts any damage.
Ultimately, the most effective fraud protection systems will use a variety of signals to
create big data and machine-learning powered insights across publishers. As such,
additional layers of protection on top of rule-based and modeling components are
important to enhance effectiveness.
8
COUNTERATTACK
DEMAND TRANSPARENCYMake sure the networks you work with are transparent about their sources and sub-
sources.
Encourage those that aren’t to increase their level of transparency and tie it to your
spend. After all, it’s also in their interest to pinpoint the one fraudulent source to
enable a budget increase in all the other legitimate ones.
USE DIRECT PUBLISHERSWhen you work with direct publishers or with networks that have relationships with
direct publishers, you know where your ads are running. With no surprises, it’s unlikely
you’ll encounter fraud using these sources. But keep in mind it will be a challenge to
scale with only direct sources.
UTILIZE A MEASUREMENT PARTNER'S SDK PROTECTION A native and secure SDK uses security mechanisms like hashing and encryption to
make sure device installations and in-app events sent by the SDK are legitimate.
9
Germany
Russia
France
Brazil
Mexico
Argentina
UK
US
Canada
China
Japan
Korea
Thailand
Indonesia
Australia
VietnamIndia
COUNTERATTACK
TAKE NOTICE: FRAUD BY GEO VARIES SIGNIFICANTLY!Our recent study has shown that in general fraudsters follow the money trail. As such,
countries with the highest payouts are most targeted by bad actors (i.e. Germany,
Australia, US, UK, and China).
LAST BUT NOT LEAST: KEEP YOUR EYE ON THE BALL!Fraud can appear in different forms and shapes. Understanding what type of warning
signs to look out for is crucial to help minimize fraud. The following examples will
help you open your eyes to potential threats:
IP-related: y Large number of clicks / installs / unique identifiers from the same IP
y Different IP locations between the ad click and the install / first launch
* Device geo location is determined by the most common location of installs from that device
Share of Fraudulent Devices Out of Total Unique Devices In Top Markets*
High Fraud Rate
Low Fraud Rate
10
COUNTERATTACK
Consistency/patterns: y Click / install every 20 seconds
y Players / users from a specific source always drop off at the exact same
point in a game / app (e.g. before a game tutorial, before a registration)
y Large number of installs from the same device brand / model
Mismatches: y App versions different than versions available at the store
y Platform mismatches between ad click and install
y Geographic mismatches between ad click and install
Device ID-related: y Different identifiers for the same device
y Multiple IDFAs for a single IDFV (identifier for a vendor)
y IDFA / Google Advertising ID are not in uppercase or lowercase, as they
should be (respectively)
y Device ID numbers hold a consistent pattern
Other issues: y Appearance of GEOs not included in targeting criteria
y For in app events - if the value of the transaction does not exist in the app
y Device IDs increase at the same pattern
y Large volume of installs without data on carrier / city / country
Performance-related: y Sharp increase in install volume, a stark decline in day 1 retention
y Premium traffic performing like low quality traffic
y Suspiciously low pricing
y Extremely low conversion rates
y Extremely high uninstall rates
11
As part of series we ran on our blog we called ‘Talking Mobile Fraud’, we wanted
to hear the perspectives of different players in the mobile marketing space to the
state of mobile fraud: the network was represented by Pepe Agell, VP of Business
at Chartboost, the advertiser’s corner had Patrick Witham, the Senior Mobile User
Acquisition Manager with Product Madness, while the fraud vendor position was
filled by Johnny Thwaites, Head of International Performance Sales at Forensiq.
“Three years ago, mobile fraud was in single digits. Erring on the side
of caution I suspect that approximately a fifth of overall mobile traffic
is at some risk of fraud, while about 10% is at high risk of fraud.”
“Fraud poses a big threat to mobile marketers. It has existed since the
app industry first gained popularity, but has drastically increased in
the past couple of years.”
On the threat of fraud in the mobile space
“Fraud is growing in the mobile industry, and that UA Managers are
becoming more aware of this issue. In my opinion, the main driver of
fraud growth is that the rapid growth of our industry overall.”
ADVERTISER, NETWORK AND FRAUD PROVIDER POVS
12
“The primary type of fraud in mobile is user acquisition fraud, which
is centered around stolen attribution, fake installs and botnets.”
Most-encountered types of fraud
“Install fraud mainly — bots installing and uninstalling thousands
of times. I have also seen vendors misreport incentivized traffic as
unincentivized traffic, which may not be your typical fraud, but can
really distort your numbers.”
“Bot generated traffic is by far the most common type of fraud.
Bot activity can be extremely straightforward and easy to spot or
extremely sophisticated... As the degree of difficulty increases from
faked impression to faked install, so does the financial reward, which
is why install fraud is becoming so common.”
13
1) Work with trusted vendors only.
2) Always report back publisher ID or application ID internally so you
can look at retention by ID.
3) Work with vendors with direct publisher traffic.
4) Bonus: Work with vendors will full transparency and raw data exports.
How to fight back
“Pay close attention to your user metrics, and be careful who you
work with! Continue investing heavily in automated fraud detection,
and work closely with attribution providers to identify and stay on top
of industry-wide trends in fraud.”
1) Get a partner in place capable of picking out fraudulent activity as it
happens.
2) Get assurance from publishers that they are not buying third party
traffic and keep an eye out for suspiciously low pricing… Also, look out
for extremely low conversion rates as this may also be an indicator of
attribution fraud.
3) Demand transparency – if a network is not sharing their sources and
sub sources, request such information to be able to properly optimize
campaigns. Don’t buy inventory that is not sold transparently.
14
“I think there will finally be a company that is able to prevent this with
near 100% capability, and “clean up” the industry. This will either come
from the MMP side or another 3rd party.”
Mobile fraud 12-18 months from now
“With the increase of spend in mobile and the demand for more inventory,
fraud will increase. The release and implementation of the MRC’s IVT
guidelines will likely contribute to the standardization measurement
and definition of fraud over the next 18 months. We expect the IAB to
do the same. Having a fraud protection layer may become a standard
requirement as well.”
“Fraudsters will continue to adapt and evolve, and the market should
be prepared for that Investing now in automated fraud detection
with adaptable signals will pay off dividends as fraud becomes more
sophisticated.”
15
ABOUT APPSFLYERAppsFlyer is the leading mobile advertising attribution and marketing
analytics platform, allowing app marketers to measure the end-to-end
performance of their campaigns across over 1,600 integrated networks
from a single real-time dashboard. The company's comprehensive
Active Fraud Solution offers mobile marketers everything they need
to actively prevent mobile fraud. Among its 10,000 customers are
Alibaba, Baidu, Macy’s, Samsung, Playtika, IHG, Trivago, DeNA, and HBO.
AUTHOR - Shani roselfelderShani Rosenfelder is the content marketing lead at AppsFlyer. He has
over 10 years of experience in key content and marketing roles across
a variety of leading online companies and startups. You can follow him
on LinkedIn.
CO-AUTHOR - Daniel ZilberbergDaniel is the Product & Fraud Scientist at AppsFlyer. With over 7 years
of experience in the fields of data analysis, machine learning algorithms
and data anomalies, he excels at pinpointing key insights within big
numbers. Daniel holds a B.Sc. with honors in Mathematics & Statistics,
in addition to an MBA degree specializing in Finance and Accounting,
both from Tel Aviv University.
A FINAL THOUGHT
Mobile Advertising fraud is probably here to stay as it is a classic game of cat and mouse between the bad guys and the good guys. However, with proper measures and cross-industry collaboration, it is more than possible to marginalize its impact. With increased awareness of fraud, we are making mobile advertising better, en route to a goal in which advertisers only pay for ads that delivered real, measurable value.
16
DeviceRankTM
Introducing
The Next Generation ofMobile Fraud Protection
Discover The DeviceRankTM Advantage TodayLearn More at www.devicerank.me