[Webinar] The ABCs of Mobile Ad Fraud (and Strategies to Fight It)

On Demand Webcast

Mobile ad fraud is an increasingly growing threat to app marketing budgets. Go inside the mind of mobile fraudsters and learn strategies to combat them. Join us as we dive into the topic of mobile fraud with our special guest Andreas Naumann, leading fraud expert at Adjust. We will discuss the basics of mobile ad fraud including:

  • Basic definitions of mobile fraud and how to detect it
  • The difference between click spam and click injections
  • How to identify fake app installs and post-install events
  • Strategies for fighting mobile ad fraud
  • How fraudsters run their operations and pro tips for blocking their attempts to steal your ad dollars

We’ve provided a PDF version of the presentation slides here.


Q&A From Live Webinar

Answers are generously provided by Andreas Naumann, Liftoff partner from Adjust.

Q: Can you post names of the two companies that help with IP monitoring?
A: Neustar and Maxmind are the industry standards (other audience members actually supplied names of verification/anti-fraud vendors)

Q: Are there specific times during the month that the fraud are more inclined to happen? (because of the payment time)
A: I have never encountered a fraud scheme or a specific fraudulent source that showed different behavior by the time of month. Usually fraud goes to where there is a combination of low resistance, high payout and big availability in budgets.

Q: Do you have a threshold for % of overall traffic using VPN/proxy that is “normal”?
A: The average VPN usage that we see in organic installs is varies between 0.2% and 0.3% between different geos. In certain targeted demographics that rate might go as high as low single digit percentages. Especially if there is a strong following for an app in a country that the app did not release in.

Q: So they are ‘faking’ the IP?
A: Faking/spoofing IP addresses is currently impossible since all communication requires an SSL handshake. In order for both parties to finish the handshake to originating IP address will need to be reached and therefore can’t be spoofed.

Q: Is a lower app version considered fraud? How are these installs possible? Whose responsibility is it to avoid this type of installs?
A: This is hard to answer without knowing the details in app versioning and the campaigns that are running. If you only have the newest version of your app in all app stores and your IO with the suppliers states that you will not pay for installs from APK downloads or 3rd party app stores, it might be fraud. Usually installs of deprecated app versions originate from these sources.

As for mitigating the problem, it becomes even more of a question of the individual setup. This could be filtered out or reported on by looking at the app version or install verification from 1st party app stores, or better yet a combination of the two.

Q: What is the process of flagging the perpetrators of click injection or stolen installs and penalizing those responsible with the various tracking providers?
A: There is no blacklisting and also “no naming and shaming” process currently in the industry, and I would rather keep it this way. Blacklists (as well as whitelists for that matter) give perpetrators a clear answer once they overshot the target and will help them stay under the radar better next time. And this is the biggest problem with this approach – most fraudsters will have no hard time changing their company name and hitting the industry again with virtually no downtime and do the same thing all over again.

Q: What is the difference between click spam and click injections?
A: Click injections are a subset of click spam (at least in my definition), the similarities being that the only thing being faked is the ad-engagement (click) and the goal is to steal attribution of an install that should be attributed to organics or to a different paid source. The difference lies in the why, when and how the click gets executed. In click spam it is either on user visit/action (mobile web) or on a fixed time interval in usage (native in-app), whereas in click injections – a click only gets triggered when the target app is already successfully downloaded and/or installed on the end users device.

Q: Whom should I blame for fraud, networks?
A: As I tried to explain rather lengthily in the webinar, there is not single entity to blame (with the exception of the single fraudster making the decision to defraud advertisers and pocketing the benefits). But the whole industry partook in benefiting from fraud or turning a blind eye towards it. In a vast generalization I’d say everybody from Advertisers, over Tracking vendors, networks, exchanges and publishers are to blame. The most important thing to take away from this is to not get held back from trying to blame a single scapegoat but to go forward with complete transparency, fighting fraud on all levels and making sure it doesn’t pay off to try and cheat the system.

We, and this means not just Adjust but the industry as a whole, made a good start in fighting back. Now we need to make sure that the momentum is kept and transparency and learning are the goals in this battle.

Q: Who are the typical culprits for click injection? Networks? Apps? Publishers? Other?
A: The perps need to have access to an app on the user device, so it will be app developers/publishers, as well as monetization vendors that have an SDK in that app. Both can listen to the broadcasts and react accordingly. App developers that integrate a closed source monetization SDK would not necessarily be aware of that practice.

Q: Regarding your example with retail apps – how will it be an “install” if you say that a user already has the app?
A: An install in the world of a tracking solution is always the combination of a first session in a specific app on a device that was not known before. Which is also the main cause for discrepancies with app stores since those count installs as installs of one app on one user account.

e.g. In case the same user buys a new device, downloads all their apps that they used before and then hits a Google search which in its result offers the user to open a specific app that was installed by restoring all apps. That install will be a new install (since the device was not known to have had installed that app before) which will be credited to Google search because this is where the user clicked before opening the app.

Q: Can you please repeat on the normal time in seconds for installs and what is not normal in the click injections?
A: A high peak in install counts in the first 5 seconds in a histogram of click-to-install times (with a bucket size of 1s) is a strong indicator for click injections happening. It is not a good solution to just filter those out, as this kind of filtering has both an unknown false positive rate as well as an unknown (and much higher) false negative rate.

Q: How do you suggest we deal with click injections if we want to minimize the possibility of false positives?
A: Look for indication of click injection in the most granular source data available. Then optimize by eliminating sources that deliver click injections to your campaigns. Just eliminating the fraudulent click engagements from attribution is not possible until more data points are available from Android/Google.

Q: How much of  “assumed vs actual fraud” cases happen and how do you handle this?
A: Since we run a preventative approach we seldomly deal with ad-hoc fraud research. Of the few cases that need ad-hoc research, clients rarely bring up concerns about fraud that turn out to be false. Those cases are concerned with compliance issues rather than technical exploits.

Q: What networks have you seen with higher than average fraud activity?
A: Since it is not the networks perpetrating the fraud, this question can’t be answered straight on. The fraudulent sources have little to no loyalty and will jump from network to network within hours if that allows them to keep poaching budgets or increase their revenue. Thus the level of fraudulent activity is always shifting between networks.

Q: Are there any trends where fraud might be more prevalent, for example, in a certain type of app? Like a utility app or loyalty app vs a game or social app?
A: The only thing that grabs the fraudsters attention is maximizing their ROI, just like any other business in the space. They are good at monetizing their operation programmatically and are very efficient about it. What draws fraud to a campaign is high CPx payouts and big/open budgets. In most cases, aggressive growth campaigns come with a certain acceptance for trading increased volumes for skewed KPIs. This allows the fraudster to maximize their gains and will draw their attention.

Q: As a developer/marketer, we’ve found high incidents of fraud within certain campaigns/networks, where we are 99% certain fraud is taking place, but the networks want us to “prove” fraud is taking place, and that is a difficult task. How do you suggest a marketer approaches fraud, if we’ve identified it and we are certain, even if we can’t prove it, should we still pay the ad network that delivered us this fraud? 
A: It is again very hard to give sound advice without knowing the details of the case (happy to discuss it in private). If the incident revolves around a technical fraud scheme, there is usually ways to prove exactly what happened. If direct proof is not possible or it is a compliance issue, I’d turn to the statistics. Unless it is very well executed, fraud schemes show strong divergence from statistics not influenced by fraud. After isolating the statistical anomalies, bring those to the network and ask them to explain those or have their source explain them. Usually that is a good opener to discuss mitigation of the problem. Also, it pays off to make sure to dedicate a paragraph of the IO to fraud and the resulting consequences.

Q: Is there a KPI to detect engaged users vs guilty ones? Something that the fraudulent companies can’t really fake?
A: Retention rates, registrations, logins, session rates, ARPU, ARPDAU, ARPPU (and tons of others as well) are good to measure the quality of the users you acquire. Which ones work for your specific app need careful investigation. It is generally a good idea to benchmark your organic installs, but keep in mind that only fake installs will show sub-par user quality down the funnel. All fraud schemes aimed at poaching your organic installs and have them attributed will show great user quality, which is one of the reasons why this kind of fraud has not been eradicated yet. In some cases, organic poaching can even be perceived as “ROI positive” just with the caveat that the advertiser still buys their own organic installs at a discounted price.