How are mobile advertisers being defrauded? Let us count the ways
For its part, Forensiq examined just one slice of the mobile ad fraud pie, a practice it’s calling mobile device hacking.
Using a popular Android emulator called genymotion, Forensiq identified about 5,000 suspicious-looking apps and downloaded a selection from the App Store and Google Play.
There are several telltale signs that up the fishiness on certain apps, including more (and therefore likely non-human) network traffic than normal, apps that automatically start when you reboot your device, a too heavy ad load ratio and asking for unnecessary permissions, like a game that involves no voice interaction requesting access to a user’s microphone
“Even without doing a study, if you see ads that look broken that are cut off or squished so you can hardly see then – those are all reasons to think that something is not quite right,” said Mike Andrews, chief scientist at Forensiq.
Andrews and his team monitored traffic and data streams within the suspect apps within a controlled environment, and then cataloged the grim results.
Although the apps generally appeared to be legit upon download, once installed they start running in the background unbidden, rapidly serving unviewable ads that drain batteries, kill data plans – one app could consume about 2 GB a day – and suck the life out of mobile ad budgets.
Microsoft, Unilever, Amazon, Coca-Cola and Mercedes-Benz were among the brands affected.
Over the course of 10 days, Forensiq observed more than 700 hidden ads an hour per app and identified 12 million impacted devices globally.
For the moment, it appears that simply deleting the offending app or apps is enough to cut the problem off at the pass, although Andrews noted that might not always be the case. Even if the device manufacturers put protections in place to ensure that delete really means delete, there could still be a potential risk.
But device hacking is just a type of in-app fraud, a fact Christian Calderon, head of marketing at the game studio responsible for "dots" and "twodots," knows firsthand.
“I feel like I’ve seen basically every form of it,” he said. “It’s not as bad as the web is or was, but there is a lot of crazy stuff that happens in mobile.”
Some of that is straight up ad fraud with no frills: install farms, click stuffing, in-app purchase fraud, forced redirections, in-app ad stacking, mobile location data spoofing and rebrokering – a practice by which an ad network will contract with unauthorized third parties without a client’s knowledge – not to mention device mixing, incentivized/non-incentivized traffic mixing and geo-mixing.
But there’s also a more nuanced, but no less nefarious, problem around creative misuse, Calderon said, which was a big issue for "twodots" at the beginning before it had enough resources to handle all of its creative development in-house.
The most common type of creative misuse is when an ad network tweaks an app’s creative to maximize clicks and installs, the currency by which they get paid.
“You might see an ad for a game with a half-naked lady in it that has absolutely nothing to do with the actual gameplay,” Calderon said. “It’s terrible for the brand, but ad networks do it all the time.”
Who’s to blame?
In cases of rebrokering or creative misuse, ad networks seem to be clearly at fault. In the case of in-app purchase fraud – according to data released by Apsalar in July, there are more than seven fraudulent purchases of virtual goods made globally for every legitimate one – hackers are the culprits.
But when it comes to the mobile device hijacking uncovered by Forensiq, it appears to be the app publishers themselves.
Specifically, developers of questionable provenance like Girls Games Only, which is responsible for a number of the apps that made it onto Forensiq’s radar for all the wrong reasons, including "Pet Dentist," "Celebrity Baby," "Vampire Doctor" and "Waxing Eyebrows," a game that offers nothing more than the title denotes, in which users are tasked with grooming the main character’s eyebrows.
“In one of the apps we came across, there was a function in the source code called ‘run evil loop,’” Andrews said. “It’s sort of humorous, sure, but it also speaks to what’s going on in the minds of some app developers. They’re looking to aggressively monetize and they’re crossing the line into fraud territory.”