Mobile fraud trends to watch in 2018: SDK spoofing and click injections
Editor's note: The following is a guest post from Paul Muller, co-founder and chief technology officer at mobile measurement company Adjust.
Since 2015, fraud rates have increased dramatically. The first fraud prevention filters denied attribution to installs coming from IPs associated with data centers or known proxy servers, only rejecting around potentially 2-3% as such fraud attempts were less common than they are today. Still, the impact was quite significant with some companies having been defrauded to the tune of $1 million a month.
The next big issue to emerge was click spamming, which has had a much larger overall effect, and today rejects another 5% of all attributions. These two filters that act as countermeasures to fraud attempts can drastically reduce fraud levels across the board, as fraudsters shift their focus to other apps that are not so well protected. These two filters proved a major success in combating fraud throughout 2017 and saved marketers millions of dollars.
At the end of the year, we learned about two new types of fraud — SDK spoofing and click injections — and began to investigate. SDK spoofing is a type of fraud that consumes an advertiser's budget by generating legitimate-looking installs without any real installs occurring. In this scheme, fraudsters utilize a real device without the device's user actually ever installing an app.
SDK spoofing is now harder to spot than fake installs generated in emulation or install farms, as the devices that fraudsters use in this scheme are real and, therefore, normally active and spread out. Fraudsters are starting to collect real device data by using their own apps or by leveraging any app they have control over. The intent of their data collection is malicious, but that doesn't mean that the app being exploited for data is purely malicious. The perpetrator's app might have a very real purpose or it might be someone else's legitimate app, and the perpetrators simply have access to it by means of having their SDK integrated within it. This could be any type of SDK — from monetization SDKs to any closed-source SDK — where the information being collected isn't transparent. Regardless of the specific circumstances, the fraudsters have access to an app that's being used by a large number of users, and this is what makes this type of fraud so dangerous to advertisers.
In response, the industry needs to adapt technology to ensure that requests coming in are from real users. Specifically, it's necessary to add cryptographic signatures to all incoming requests. Since first recognizing this new form of fraud, despite the industry's early efforts to prevent it, we've seen no decrease in the attempts of fraudsters. In fact, the numbers continue to grow. We've seen upward of 80% of campaigns being targeted, with no slowdown in sight.
The most shocking discovery of 2017, however, was the type of fraud known as click injection. A mechanism of Android was abused on an operating system level to trigger fraudulent clicks in the last second of an app's installation. In this way, all kinds of attributions were stolen, both those of organic users and those of users from paid sources alike. Networks are now seeing rejection rates of over 50%, meaning half of all attributions were fraudulent.
Without proper education and active fraud prevention, user acquisition managers risk wasting a significant share of the budget they allocate outside of Google and Facebook. It's therefore more essential than ever that everyone buying mobile ads has a clear understanding of the types of fraud that exist as well as the dangers they present.
User acquisition managers should work closely with their ad network partners and data team to develop a solution that stops these fraud schemes dead in their tracks. We recommend creating a signature hash to sign SDK communication packages. This method ensures that replay attacks don't work, as a new dynamic parameter in the URL cannot be guessed or stolen, and is only ever used once.
Fraud is a constant battle that never sleeps, but you can start to take measures in preventing and limiting attacks from these SDK spoofing and click injection schemes today to make 2018 more successful for your business.