By Tom Armstrong, Corporate Sales Manager, Impact EMEA
Performance fraud never goes away, and it targets both web and mobile environments. On the web, the malicious scheming of unseen villains has forced us to coin terms such as click spoofing and toolbar injection, as well as strategies to combat such activities.
In mobile, where we tend to assume the environment is a more controlled one, the danger of performance fraud is actually every bit as great, and it takes distinctive forms, focusing essentially on install attribution fraud and install fraud.
What is it? How does it work? What does it look like?
Knowledge is power, so here’s our guide to the most common forms of performance fraud afflicting the mobile advertising ecosystem.
Install attribution fraud
When unscrupulous partners exploit advertisers’ cost-per-install (CPI) campaigns by stealing or fabricating credit and then collecting revenue for driving an app install, it is known as install attribution fraud. We identify four main techniques:
By hijacking a user’s phone, a malicious publisher can trigger fake clicks for hundreds of legitimate app ads without the user knowing. This is click flooding, and the clicks are intended to game advertisers’ CPI attribution models by attributing credit for any subsequent app install to the unscrupulous hijacker – even though he provided no value in driving the install.
Click injection is an Android-only scam in which a bad actor plants code that continuously monitors a user’s device for new installs. Based on this information, the publisher can send fake clicks just before payable post-install events occur, in order to snatch unearned last-click attribution in CPI campaigns.
When advertisers rely on their affiliate publishers to self-report mobile click events server-side, click spoofing can occur. This is when a publisher triggers a “spoof” mobile click-tracking event in the absence of a legitimate click, claiming attribution for organic installs or installs driven by other legitimate partners.
One more method of corrupting install attribution models, malvertising is the practice of using ads injected with malicious code to send users to app store pages without their consent. Not only do the often-innocent publishers who inadvertently host this malvertising suffer for providing poor user experience, but the malicious party may later claim credit for any future app install.
Bad actors game advertisers’ CPI campaigns by collecting revenue for driving suspicious app installs where installers have no intention of actually using the app. This is called install fraud, and here are the most common strategies:
Install farms employ hundreds of low-cost workers with real phones to install the apps of advertisers who reward partners on a CPI basis.
Device ID reset marathons
Device ID reset marathons effectively industrialise fake installs by resetting the device ID of an install farm worker between each app download – to give the impression that the installs are happening across many different devices, instead of just one in the hands of a fraudster.
If post-install engagement constitutes an advertiser’s payable event, malicious publishers may use paid human engagement farms or scripted retention to enact or automate it and then claim credit. For example, a bad actor may navigate past a certain level in a game to simulate authentic user engagement.
Some affiliates incentivise installs by sharing their commissions with end users via benefits such as rebates, social gaming credits or donations to causes. When this incentivised traffic is unlabelled or mislabelled as non-incentivised traffic, it fraudulently collects a higher CPI pay-out than it is actually worth to the advertiser.
Proxy tunneling occurs when a malicious app, installed across many mobile devices, installs malware that effectively converts that network into a mobile botnet. The botnet is in turn remotely controlled by a botnet operator, which can leverage the hijacked IP of the device to mask the location of the operator, while committing install fraud on a large scale.