Man
Professional
- Messages
- 2,946
- Reaction score
- 474
- Points
- 83
Mobile devices are actively competing with PCs and TVs as tools for searching and viewing information by users. Websites, services, and platforms are developing interfaces so that smartphones can be used to conveniently view anything: questions and answers, documents and articles, services and products, movies, music, etc. It is this growth that has led to platforms such as Google and Yandex launching ads on smartphones as well. It is primarily used to monetize conditionally free applications. Unfortunately, scammers are not asleep either. They are developing new schemes to deceive users, webmasters, and advertisers.
Ad fraud on mobile apps and websites works to bypass and deceive the tools used to measure and evaluate campaign performance. Ads that are paid for clicks, impressions, or installs are at risk, and their reporting relies on these metrics, allowing fraudsters to steal advertisers’ money.
Contents
1. Common fraud schemes
1.1. Layering Ads
1.2. Clickfraud
1.3. Click bombing (spam)
1.4. Resetting the device ID
1.5. Substitution of application ID
1.6 SDK Scam
2. VPN as a tool for fraud
3. Damage from attackers in numbers
4. How to protect yourself from mobile advertising fraud
Below are some common advertising deception schemes.
Click injection (hijacking) is one of the types of such fraud in mobile advertising, when a malicious program is implanted on the device, tracking the applications downloaded to it. As soon as the installation is completed, the malware manages to click on it before the user launches it.
This method is most often used on smartphones running iOS, slightly more often than on Android, according to a 2018 study.
How it works: The scammer clicks on the ad, downloads the advertised app, launches it, performs some other actions in it, and then resets the device ID to repeat the same thing. And so on, many times.
According to AppsFlyer, ID reset ad fraud accounted for about 26% of all ad fraud in 2018. Companies lost $1 billion from this scheme.
According to a study conducted by Pixelate, this scheme was first discovered by specialists in June 2018. It turned out that advertisements could be displayed on a switched-off screen or in the background, meaning that the user — the owner of the device — did not actually view them.
Not long ago, Apple iCloud Private Relay, essentially a VPN, appeared on iOS mobile phones. The option allows you to access blocked sites, hide your search history and digital traces of your device. Unlike a regular VPN, you cannot select a region in this case — it is assigned automatically.
The principle of operation of this technology is as follows: with Apple Private Relay enabled, before entering any site, the user is redirected to the Apple server, where his IP is replaced. The new IP is sent to the trusted partner server, and only then the data gets to the final server or site. The actual location in this case will be displayed if the following conditions are met: the site requested your location, and you, in turn, allowed this data to be transmitted.
In Russia, of course, such a function will not work on smartphones, since VPN services are actively blocked and prohibited by Roskomnadzor. For example, on September 2 of this year, 6 such services were blocked at once. However, this function will be available in many other countries, including the post-Soviet space. This gives fraudsters the opportunity to actively launch click-throughs of mobile advertising, deceive site filters and cause damage to advertisers.
Fraudsters have been actively deceiving marketers and smartphone users since 2018. The largest fraud case at the time was an advertising scheme that cost Google and its partners $10 million. Fraudsters could earn up to $75 million a year using their deceptive methods. At that time, Trend Micro MARS reported 1,088 apps containing a malicious SDK. Google Play support removed most of them, but they managed to cause significant damage to users and advertisers: by that time, the apps had already been installed more than 120 million times.
Taking action against ad fraud should be a priority for advertisers, especially since some schemes may violate users’ privacy. Advertisers can also do their part to prevent the spread of malicious and fraudulent apps. Here are some ways:
What should advertisers do? Companies suffer losses from advertising fraud. It is in their interests to protect themselves from such attacks. Here is what can be done:
Ultimately, when it comes to any type of fraud, it is important for all stakeholders to work together to maintain a safe digital environment. Sharing information and working to address emerging forms of ad fraud is critical to combating it.
Ad fraud on mobile apps and websites works to bypass and deceive the tools used to measure and evaluate campaign performance. Ads that are paid for clicks, impressions, or installs are at risk, and their reporting relies on these metrics, allowing fraudsters to steal advertisers’ money.
Contents
1. Common fraud schemes
1.1. Layering Ads
1.2. Clickfraud
1.3. Click bombing (spam)
1.4. Resetting the device ID
1.5. Substitution of application ID
1.6 SDK Scam
2. VPN as a tool for fraud
3. Damage from attackers in numbers
4. How to protect yourself from mobile advertising fraud
Common Fraud Schemes
Every year, the capabilities of mobile devices become broader, which allows advertisers to place their ads in various formats. And fraudsters, in turn, use many methods for click fraud, pseudo-installations, manipulation of attribution, etc.Below are some common advertising deception schemes.
Ad Layering
In this scheme, the scammers — the resource owners — place several ads one on top of the other. The site visitor sees only the top one. If companies in this case pay for advertising with payment for impressions, then the scammers will receive a reward for displaying all the ads.Clickfrode
The main goal of click fraud is to imitate the actions of real users in order to trick analytics tools into counting fraudulent (invalid) clicks as real ones.Click injection (hijacking) is one of the types of such fraud in mobile advertising, when a malicious program is implanted on the device, tracking the applications downloaded to it. As soon as the installation is completed, the malware manages to click on it before the user launches it.
Click bombing (spam)
With this scheme, fraudsters bombard the app with clicks to take the attribution, i.e. click (launch) it before the user does so themselves. Each click is assigned a unique ID, corresponding to the device ID of the real user who downloaded the advertised app.This method is most often used on smartphones running iOS, slightly more often than on Android, according to a 2018 study.
Reset device ID
This scheme involves a cycle of endless app installations and resets of the device ID on which it is downloaded. For the advertiser, this would mean that its product was downloaded each time by unique users.How it works: The scammer clicks on the ad, downloads the advertised app, launches it, performs some other actions in it, and then resets the device ID to repeat the same thing. And so on, many times.
According to AppsFlyer, ID reset ad fraud accounted for about 26% of all ad fraud in 2018. Companies lost $1 billion from this scheme.
Application ID substitution
Fraudsters use this deception scheme in the following way: they launch an ad in one application, but the advertiser thinks that it is shown in another, declared during placement. The attackers simply change the parameters and provide false or stolen identifiers.According to a study conducted by Pixelate, this scheme was first discovered by specialists in June 2018. It turned out that advertisements could be displayed on a switched-off screen or in the background, meaning that the user — the owner of the device — did not actually view them.
SDK Scam
Software development kit (SDK) fraud is a mobile fraud scheme that involves bots and malware. An application embedded in another, real one, will generate clicks and reproduce other actions in it. This scheme is very difficult for attackers to detect. Any application that uses an SDK is vulnerable to such click fraud.VPN as a fraudulent tool
For every five clicks on an ad, one is done using a VPN. This technology allows fraudsters to hide their location and display a virtual unique IP address with each new connection. This is how they bypass systems that block automated click-throughs of ads.Not long ago, Apple iCloud Private Relay, essentially a VPN, appeared on iOS mobile phones. The option allows you to access blocked sites, hide your search history and digital traces of your device. Unlike a regular VPN, you cannot select a region in this case — it is assigned automatically.
The principle of operation of this technology is as follows: with Apple Private Relay enabled, before entering any site, the user is redirected to the Apple server, where his IP is replaced. The new IP is sent to the trusted partner server, and only then the data gets to the final server or site. The actual location in this case will be displayed if the following conditions are met: the site requested your location, and you, in turn, allowed this data to be transmitted.
In Russia, of course, such a function will not work on smartphones, since VPN services are actively blocked and prohibited by Roskomnadzor. For example, on September 2 of this year, 6 such services were blocked at once. However, this function will be available in many other countries, including the post-Soviet space. This gives fraudsters the opportunity to actively launch click-throughs of mobile advertising, deceive site filters and cause damage to advertisers.
Damage from attackers in numbers
Many of the mobile ad fraud methods described above are already familiar to us, as they partially coincide with click fraud techniques in PC advertising campaigns. We talked about them earlier in this article. This means that, following the development of smartphone capabilities and the number of users, fraudsters are improving their click fraud methods and developing new ones.Fraudsters have been actively deceiving marketers and smartphone users since 2018. The largest fraud case at the time was an advertising scheme that cost Google and its partners $10 million. Fraudsters could earn up to $75 million a year using their deceptive methods. At that time, Trend Micro MARS reported 1,088 apps containing a malicious SDK. Google Play support removed most of them, but they managed to cause significant damage to users and advertisers: by that time, the apps had already been installed more than 120 million times.
How to Protect Yourself from Mobile Advertising Fraud
Material losses, distorted statistics, ineffective campaigns - all this is damage inflicted on companies by attackers.Taking action against ad fraud should be a priority for advertisers, especially since some schemes may violate users’ privacy. Advertisers can also do their part to prevent the spread of malicious and fraudulent apps. Here are some ways:
- Be aware of click fraud schemes and methods. Knowing and understanding the different methods used by scammers can help you avoid them.
- Be careful when choosing and installing apps on your device. Download them only from trusted sources. This will reduce the risk of your phone becoming infected with malware.
- Provide tools on your device that will keep it safe. Users should consider installing a multi-layered solution that can protect the device from online threats.
- Report incidents that may involve fraud.
What should advertisers do? Companies suffer losses from advertising fraud. It is in their interests to protect themselves from such attacks. Here is what can be done:
- Prioritize security when planning your advertising campaigns.
- Choose the right placement platforms and quality sites. Be careful when choosing the sites and applications where your ads will be placed.
- Be more attentive to incoming conversion data. Analyze and periodically audit advertising statistics. Track potential fraudulent patterns, possible bot activity, unnatural behavioral signals.
Ultimately, when it comes to any type of fraud, it is important for all stakeholders to work together to maintain a safe digital environment. Sharing information and working to address emerging forms of ad fraud is critical to combating it.