eMarketer predicts that in 2019 mobile advertising will surpass $93 billion, a full $20 billion more than what it expects will be spent on TV, but one of the biggest challenges to mobile advertising growth has been invalid traffic (ITV) and mobile ad fraud such as fake installs and click spamming. This has a significant impact on the app ecosystem. As a result, it is crucial that consumers and businesses alike learn more about mobile app security.
What if anything can the industry do to address and mitigate ad fraud?
How Big is Mobile Ad Fraud?
Mobile ad fraud consists of all the illegal activities that negatively impact the entire mobile ecosystem, and this includes advertisers, publishers, and everyone in between. According to Elad Natanson, ad fraud was estimated to have cost stakeholders about $19 billion in 2018. These numbers are likely underestimating the full cost; they only tally the rejection rates pooled from fraud prevention tools. There have been some steps taken to address the issue, but fraudsters have evolved and are now using sophisticated tools that make it harder to detect.
Types of Mobile Ad Fraud
There are 6 main types of mobile ad fraud:
- CPM Ad Fraud
CPM (cost per mille or thousand) – “mille” is Latin for 1000. This is legacy nomenclature that’s been used for decades in traditional advertising. Some campaigns are priced based on thousands of impressions delivered to a target audience. So the more impressions, the bigger the charge back to the advertiser if the campaign is based on CPM. Some types of CPM ad fraud include:
- Ad Stacking or View Fraud: Multiple display ads are stacked on top of one another in a single ad placement. The user gets to view only the top ad but all the advertisers (of ads in layers) are charged for fake ad impressions.
- Invisible Pixels: Ads are stuffed as a single pixel on the screen, which obviously is invisible to the user and the advertiser is charged for the impression.
- Unstoppable Ads: Apps are manipulated to load ads continuously, even when the user is not using the app.
- Video auto-play: Fraudsters play video ads automatically in the background when the user is not watching or is unaware of the ad.
- CPC Ad Fraud
CPC (cost per click) – an advertiser is charged based on how many times the ad is clicked on. This is the main form of advertising in search advertising, and many times paid social advertising as well. Some types of CPC ad fraud include:
- Automatic Redirection: Even when the user has not clicked on the ad, the fraudster maliciously redirects the user to the ad landing page. If the user eventually takes an action like downloading an app, it falsely attributes conversion to the publisher.
- Deceptive Ads: You might have come across advertisements that serve as a warning or an alert or pose as an advertisement for some product and when you click on it you land on a totally unrelated page. Often close or X button is misused, to trick the user to click, when they are trying to close the ad. Such ads deceive both the users as well as the advertisers
- CPI Fraud
CPI (cost per install) – an advertiser or app developer is charged based on how many times the an app is downloaded and installed on a mobile device. Some types of CPI fraud include:
- Installation/Activation Fraud: This is related to fake installs. Malicious software is used to create fake installs. Sometimes, device information is rigged, or app SDK is cracked to send virtual information (like app download) to the network or app store. Sometimes a group of people are hired with many mobile devices to manually install applications (click farms).
- Attribution Fraud (Click Stuffing): Here fraudsters try to capitalize on first click or last click attribution. They try to identify the users who are about to make a purchase and target ads to them or artificially stuff clicks (just before the purchase) using a device or user details to make it look like the user completed the click.
- Click Spam and Click Injection: Click Spam or organic poaching executes clicks on behalf of the user without him being aware of the same. For instance – if a user lands on a malicious page (or app) the fraudster could run clicks in the background, execute interaction with an ad, send impression-to-clicks as if it has converted to engagement or send clicks from false device-ids.
- Click Injection is an advanced form of click spam where a malicious app listens to install broadcasts and detects when an app is about to be installed and triggers a click just before the install.
- Post-Install Fraud
Malicious or fake activity that mimics human user behavior in an attempt to run up engagement metrics. Some types of post-install fraud include:
- Registration Fraud: Hired workers register on landing pages using fake accounts.
- Value of Install Frauds: After a fake install, bots simulate user behavior to trick advertiser into being a legitimate user, so he is motivated to run more campaigns.
- Hacking the postback URL & APK: Hackers manipulate installation postback URL and fake bulk installs on a single click or bulk clicks on the ads. Thus, it becomes difficult to ascertain if your campaign has been successful or the users are fake
- Fraudulent Traffic
Also known as invalid traffic (IVT). Not delivering the type of traffic or audience targeted by the advertiser. Some examples of fraudulent traffic include:
- Geo Fraud/Wrong Targeting: This kind of fraud occurs when campaigns are targeting an audience from a specific geographic location, but the ads are shown to irrelevant networks and marketers are provided with false data (that alters the device location of clicks/registrations).
- Fraud using Spoofing: A single device is spoofed to resemble different unique devices and clicks/downloads/installs are counted for different devices.
- Bots: Bots not only trigger clicks or fake installs but are sophisticated enough to create fake user profiles that simulate a users online behavior to interact with ads, visiting landing pages, and showing an intent to purchase.
Some examples of spoofing include:
- Cookie Stuffing: Multiple cookies are attached to the user and when the conversion occurs the fraudster gets paid instead of the publisher.
- Domain Spoofing: Fraudsters portray their low-profile websites as premium websites and when the user unconsciously clicks on them, the malware on their site runs on the user browser and gain access to ad tags and impersonate property. So, the advertisers think their ads are running on a premium website, while in fact, it is running on substandard properties.
In the mobile app world specifically, the mobile games vertical is targeted the most, according to DazeInfo and ClicksMob. This is likely driven by the value mobile game app developers place on installs, registrations, and engagement.
Can We Curtail Mobile Ad Fraud?
Encouragingly, there has been some progress in curtailing mobile ad fraud. The use of ads.text, which helps stop web domain spoofing, is one of the initiatives that has also been applied in mobile apps with some degree of success. However, detecting and stopping fraud can be equated to an arms race. When industry experts successfully combat one form of fraud, fraudsters devise another more sophisticated tool or tactic. Consequently, dealing with mobile ad fraud is a continuous and relentless battle.
Most of the new sophisticated tools used by fraudsters revolve around invalid traffic (IVT). IVT is fake traffic that applies crawlers, spiders, and bots and mimics real user behavior. IVT comes in various forms, for example, click spamming, click injection, fake installs, ad stacking, among others.
The most common of these are click spamming and click injection. Click spamming is the manipulation of the attribution of organic traffic, which enables fraudsters to execute clicks on behalf, and without the knowledge, of users. Click spamming may come in the form of server-to-server catalogs, in-app background clicks, and stacked ads. Click injection is a more advanced form of click spamming, and it is most common in android phones. It comes in two forms, that is, content provider exploit and package-added broadcast. Fraudsters apply this tool to steal the CPI payout by creating a legitimate-looking ad click.
Invalid traffic is double-edged as it leads to the loss of money and squandered impressions. IVT in the form of wasted impressions cascades to other metrics such as CTR (click-through rate), conversion rates, reach, frequency, and ultimately trial and sales. By diluting these metrics, IVT compromises the importance of benchmarking and optimization, suggests ad fraud expert Joe Nguyen. Invalid traffic obfuscates and erodes the results of various marketing campaigns.
Consequently, it is critical for marketers to understand the nature and magnitude of ad fraud so that they can employ relevant strategies and tools to mitigate negative impacts as much as possible. Technology, as well as education and industry standards and protocols, are all part of a multi-pronged approach.
Advanced technologies have become necessary, considering that most fraudsters rely on a vast network of bots which have the capability of mimicking human behavior without alerting the user of the device. Technology that relies on multi-point checking by using different data sources that prescribe ideal human behavior could prove ideal for detecting and preventing bot activity, according to Nguyen. Some of the data sources that could aid in mapping real users could be collected from traffic data from publisher SDKs and tags, and also panel data from real users with information on the device ID, IP address, and mobile browsers used. Such efforts would help experts differentiate between IVT and real human traffic.
In addition to technology, stakeholders must change their mindset regarding the metrics that inform marketing campaigns. Marketers must alter their expectations since most of them do not meet human eyes. Only after reevaluating the use of the impression metrics can stakeholders become proactive and develop unique techniques that detect and prevent invalid traffic. Stakeholders must add to their arsenal and stop relying only on blacklists to tackle the issue. Educating marketers and other experts on the evolving nature of IVT could ensure that all stakeholders keep up with the threat and take care of where and how their inventory is purchased.
Fighting Mobile Ad Fraud Will Never End
The fragmentation of the mobile advertising ecosystem presents a myriad of challenges. The different media formats, operating systems, and varying devices provide opportunities for marketers to push content but also allows fraudsters to launch multiple attacks from various points.
The fraudulent activities that were common on desktop computers have made their way to mobile devices, and have also been joined by other more sophisticated attacks that are unique to the mobile ecosystem. For instance, portable devices can be hijacked by attackers allowing them to create unrestrained ad-interacting without the knowledge of the user. IVT is present on all devices – both iOS and Android platforms – and has found its way into mobile browsing and applications.
In summary, it will take a coordinated effort of technology, standards, and process adjustments to mitigate ad fraud. Old-school collection of real user data could also inform how best to handle bots and other ad fraud techniques.
What are your thoughts on ad fraud and how to best mitigate the risks?
About the Author
Ricardo Cidale is Vice President, Americas for Syntonic. In this role, he also acts as Managing Director, Syntonic Brasil, overseeing all operations for the region. Cidale is a veteran executive and entrepreneur with a successful track record of building and operating businesses in the Americas with a focus on telecom, media, enterprise and government. Previously, Cidale held executive leadership positions at RealNetworks, Compaq Computer Corporation and Dell Technologies, among others.