Mobile fraud: how to identify and counter it. A Delivery Hero case.
Table of Content:
If you are in mobile marketing, you most likely have been affected by fraud in some way and have paid for fraudulent activity.
In this post, Tom Brooks Mobile Marketing Manager at Delivery Hero goes over what is mobile fraud, how to identify it, and how to counter it in a rapidly changing mobile environment.
What is Mobile Fraud?
Fraud is any type of activity, which you pay for the services you do not receive, but it is framed as if you do so. There are two main types of mobile fraud:
- Attribution Fraud. Falsely attributing the efforts of paid activity to organic users, or people that would have been your customers anyway. For example, those who are in the process of installing your app.
- Event/Install spoofing. Generating events and installs from thin air and making you pay for a CPI that didn't exist.
Mobile Fraud Techniques
While mobile fraud techniques always continue to advance, there are five most common of them:
- Classic Click Spam
- Click Injection
- Device Farms
- Incentive Traffic
We will unpack these techniques one-by-one and discuss the method, indicators, and solution.
Let's start with the classic click spam, as this is one of the most famous types of fraudulent activity you will find.
Click spam is organic. It is making sure you are targeting organic users, so all post-install events and financial indicators of install will be real.
There are multiple methods of doing click spam:
- Pixel stuffing, which is essentially generating lots of clicks that didn't exist. It can be done while you are watching a video on a mobile web.
In-app inventory — clicks can be generated from pre-installed infected apps, battery savers, memory cleaners, flashlight apps, etc. There was a famous Cheetah Mobile case. They had over 2 billion installs, which turned out to be just a massive front for attribution stealing.
- Auto redirects. I'm sure we have all had the situation in an app, when we clicked on an ad and a window appeared and then vanished. That was a forcible redirect through other promotional tracking links.
Users may notice quick redirects but ultimately they will land on the App Store or Google Play page of the app they intended to download and remain unaware. But it still would be counted as a click.
- Ad stacking / Cookie stacking.
What are the indicators that click spamming is affecting your campaigns?
- iOS is more at risk. Simply the less number of devices, high statistical probability that you're going to get hit. Also, because of higher CPIs on iOS.
- A high number of clicks in relation to installs. If you have a lot of clicks and a low CVR (< 0.5%) that is one indicator. It is worth noting different formats, for example, video and banners have different conversion rates, so it does not necessarily indicate fraud to watch out for.
- The main one we are going to look into is abnormal TTI (Time-to-install). Fraudsters can generate clicks but not influence when the user downloads the app. Normal distribution the install is generated in the first few days post click. Click spam has a “long tail” TTI.
- Flag low click to install CVR sources.
- Watch for long tail install distribution.
Here is an example of two networks. Let’s analyze the installs in relation to the click:
The number next to the day 0 is the customers that have installed on the same day as clicking on an ad. Obviously, most of the installs should come from the click that was generated on the same day. I can't remember what I had for dinner three days ago, so I am not going to remember the ad that I clicked on three days ago and go back and install the app.
We can see that via the Network Y (on the left) 86% of users installed the app on the same day the click was generated. Then we can see a standard progression lowering when getting to day 6, when it is almost negligible.
The Network X data (on the right) is a bit suspicious. The installs come on the days post click. This highlights it better in a graph:
What we see in Network Y should be a standard tail off after the first day of installs. Network X results is what is called the long tail distribution.
I have chosen seven days because most mobile measurement providers will have a standard attribution window of seven days. If users install the app within seven days, the install will be attributed to that network and that network will get paid CPI for that. If users don't install it within seven days, they usually get shifted back to organic.
The second mobile fraud technique is attribution stealing. Its aim is to steal organic and non-fraudulent traffic.
Click injection often happens with real apps that are embedded with malware. The aim is to infect as many devices as possible. Fraudsters sometimes do paid activity promoting their apps just for the sole purpose of spreading malware. This is how profitable this fraud technique can be.
Malware checks apps for paid tracking links to indicate campaigns. Once the install begins an artificial click is generated. Then when the app is opened for the first time (and it is the moment when the tracking SDK is initialized) install attribution has been stolen.
Click injection used to be the major Android problem. After Google implemented the Android API Referrer, which logs when the click was generated and the install began. Any click that is generated after the beginning of the install is obviously fraudulent and can now be rejected quite easily. It's still worth noting, because similar techniques are still in use.
- Abnormal time between download click and an install.
- Click coming after install completed.
The graph below indicates the time to install distribution. If you start having clicks or installs immediately, it is pretty suspicious. It usually takes around 15 seconds to click on an ad, being redirected to Google Play, and start the download.
- Find benchmark for organic TTI and inspect suspicious install clusters below the threshold.
Let’s get to the other type of fraudulent activity — spoofed installs.
Bots involve apps installed not on actual devices, but emulators. Then the information about the install is sent to a tracking provider.
Fraudsters can create artificial parameters to go along with it, so the install will come in with a legitimate device ID and OS version.
You may be susceptible to this kind of fraudulent activity:
- Low CPIs incentivise primitive bots <> high CPIs more sophisticated.
- Significant anomalies in post-install events.
Yes, these are not just installs which can be spoofed, but post-install events, for example, a purchase or a sign up, as well.
Why would someone spoof a post-install event, if you are paying on CPI? It is to legitimize the fraud. If you have an additional 10,000 installs in one month, but the order of volume remains the same, then it will be instantly suspicious.
The solution here is to cross-reference your install numbers to legitimate install numbers. Check back-end data against your events or/and if other post-install events are populated.
Also, you can see a lot of post-install events grouped by one device ID.
When I found out about this type of fraud last year, I checked order events grouped by device ID and I found that one device ID had 90 acquisitions. That was obviously very suspicious.
Here below is what an actual device farm looks like (not mining Bitcoin). They are mostly Android, due to the low price and easier software “hacking” to change advertising identifier.
Device farms connect to different publishers for constant monitoring of available apps and games running paid activity. Then they will try to get an idea of what parameters should be populated:
- How to download.
- What post install events should take place.
Only if you are spending a lot of money on mobile advertising, this fraud technique will have a huge impact for you.
Indicator and Solution
Here are some key indicators of such fraudulent activity:
- Spike in Organic installs. Often installs which have been rejected may end up inorganic.
- Numerous installs from one phone model.
- Numerous installs from select IP addresses.
- % of NEW installers.
A problem worth mentioning here — most metrics and rules from anti-fraud solutions are open source and therefore can be reverse engineered.
The last mobile fraud technique I would like to cover in this post is incentivized installs. This might not actually be fraudulent in the traditional sense.
Incentivised downloads are coming from independent users who receive a reward in various forms for the install taking place. A lot of gaming apps use this.
How can you spot it? Very high conversion rates could be “diluted” by additional clicks, but most don't engage with the app.
This graph shows how incentivized installs differ from real users:
In order to counter such traffic, it is best you just talk to your DSP or your network provider on limiting such campaigns. Unless you think it is okay. But at the end of the day incentive traffic tends to skew your install data as these users tend to leave the app after install.
Watch the video of Tom Brooks’ session at Mobile Online Conference by AppFollow: