The lack of transparency in desktop RTB has earned it a reputation as the Wild West of digital advertising. But by comparison, mobile app RTB is an untouched wilderness.
12 million devices… had downloaded one of the flagged apps — 1% of all the devices in the U.S.
Forensiq
Lax exchange security and a lack of robust fraud detection solutions built for mobile apps have made app inventory fertile ground for fraudsters as they follow the mass consumer migration from desktop.
In a report published this week, mobile in-app advertising platform AppLift estimates that more than a third (34%) of mobile app ad traffic bought programmatically is suspicious, and 12% is at high risk of fraud. That is much higher than similar estimates for desktop, which have hovered between 10-20% for the past two years.
AppLift, which is primarily used to run install campaigns for app developers like Zynga, King and Glu, reviewed a 60 million impressions over four weeks using its own internal statistical tools and security analysis provided by Forensiq. Despite the relatively small sample, it was able to illuminate a few key trends in the burgeoning domain of in-app fraud.
Compared to desktop, mobile fraudsters are still fairly unsophisticated. Though fraudulent apps can simulate clicks, installs, and post-install events, the vast majority just generate raw ad views in order to defraud CPM campaigns. AppLift found ads bought on a CPM basis were three times more likely to be suspicious than ads bought via cost-per-click, and 10 times more likely to be suspicious than cost-per-install ads.
This pattern resembles the early days of desktop RTB fraud when advertisers had few defenses and fraud awareness was still minimal. In that environment, as on the mobile app exchanges today, fraudsters faced little pressure to develop advanced forms of deceit to outwit advertisers and their security vendors.
In a case study attached to the report, AppLift shared the story of one unnamed client that was looking to promote a classifieds app. Even modest traffic analysis raised alarms: 99% of the app’s installs came from just three devices, and the downloading IP addresses (unique numerical identifiers for internet-connected devices) were sequential. The average time between an app’s installation and when the downloader posted or responded to a classified ad was between 10 seconds and two minutes — far faster than a human would normally take to engage.
The example illustrates how little effort mobile app fraudsters are taking to cover their tracks. Though advertisers are beginning to invest more heavily in mobile app advertising, the technology for detecting fraud on apps hasn’t caught up. Many top security firms don’t yet offer robust solutions for screening out novel forms of fraud that specifically target apps.
One of the challenges unique to mobile that security providers are facing is that, unlike websites displayed on browsers, apps and their developers can directly control the signals sent to ad servers and exchanges that determine whether an ad was viewable or drove engagement.
This has led to a rise in so-called “mobile device hijacking,” where publishers deliberately build components into apps that generate fake impressions even when the user doesn’t have the app open — the hyperactive younger cousin of desktop ghost sites.
Mobile users are trusting
Forensiq released a detailed report on mobile hijacking earlier this year. The report showed that most mobile apps that contain fraud code are installed intentionally (as opposed to desktop, where fraudulent malware tends to be installed unintentionally via deceitful techniques that exploit vulnerabilities in the user’s browser or behaviour).
“Consumers trust what they are getting: mobile apps exist in an official app store, may receive many positive reviews, and provide entertainment or utility,” Forensiq wrote. “What we found is that apps can also serve an illicit purpose, harming both advertisers and humans.”
Forensiq flagged more than 5,000 apps available on Google Play, the Apple App Store and third-party app stores for suspicious behaviour that indicated hijacking. In total, it identified 12 million devices that had downloaded one of the flagged apps — 1% of all the devices in the U.S. — and estimated that 13.3% of all mobile app impressions were at high risk of being created by just this one type of fraud.
Upon investigating several of the apps, Forensiq found many of them would generate ads that the user could not see. The apps would begin serving ads when the device started up, and would continue even if the user wasn’t logged in or didn’t have the app running in the foreground. Forensiq estimated that, on average, each app generated 700 fake impressions every hour, only 10% to 20% of which were seen by the user (and that was only when they had the app open; when it was running in the background, they saw 0% of the ads). The apps would also download malicious scripts to simulate random clicks, boost CTRs or redirect users through affiliate links to e-commerce websites.
For consumers, these malicious apps meant gigabytes of wasted data and a severe drain on battery life. A single malicious app could download up to 2GB of images and videos each day that were never shown to the user. On average they made 1,100 calls each minute to ad networks, servers and exchanges, in some cases masquerading as legitimate apps like Blackberry BBM or Wickr (which don’t actually serve any ads).
“In some exchanges and traffic sources, the amount of mobile fraud that we’ve seen has actually eclipsed desktop fraud,” Matt Vella, chief technology officer at Forensiq, told Adweek in the wake of the recent AppLift report. “Whether it’s desktop or mobile, we’re talking about different vehicles to perpetrate advertising—criminals will follow the money.”