Imitation game: ID fraud in mobile advertising

A little over a year ago, Lauren Fisher, an eMarketer analyst and author of the report US Ad Fraud 2017: Buyers and Sellers Fall Prey to More Sophisticated Forms, considered mobile a relatively “clean space” when it came to fraud.

Times have changed. Speaking on a podcast in May this year, Fisher acknowledged that her assumption had been overly optimistic, partly because of the difficulty in measuring mobile advertising back then.

As better tools have emerged, the extent of the problem has come into focus. For example, according to AppsFlyer, for up to 20% of the apps in certain categories, at least 20% of downloads can be attributed to device-ID reset fraud. And globally, app-install fraud is estimated to cost advertisers between $2.2 billion and $2.6 billion a year, according to the company. 

For the uninitiated, device-ID reset is a form of fraud—often performed on massive 'farms' of phones—that involves clicking an ad, downloading and even using an app for a while, then resetting the phone's device ID in order to repeat the process and create the appearance of a new device downloading the app.  

According to some, methods of detecting mobile fraud, while improving, are not where they need to be yet. “It is imperative to understand that mobile is the most challenging channel today because brands are still tracking fraud with tools used for desktop that are not adapted or tailored for this channel that is inherently different in nature,” Gavin Buxton, APAC managing director with S4M, tells Campaign Asia-Pacific.

For example, cookies do not exist on mobile, so a different method of blacklisting for the device ID is required. Location data could help to validate device IDs, but "there is not enough understanding from buyers to fully know exactly where the data is coming from and the data reliability,” Buxton adds.

Although certain types of fraud, such as click fraud, are common on both mobile and desktop, click injection and app-install fraud are mobile specific. Moreover, the latter are often more tempting targets for nefarious individuals and groups, because of the money advertisers are spending to drive app installs.

Fraudsters have every incentive to shift their attention to mobile as advertising dollars are flowing to smaller screens, especially in certain mobile-first markets such China and India. Zenith’s Advertising Expenditure Forecasts, released on Monday, predicts that total mobile ad spend will reach $106 billion in 2017, accounting for 52.2% of internet advertising expenditures and 19.5% of total advertising expenditures. 

Switching IDs

Israel-based attribution platform AppsFlyer began actively tracking mobile device-based fraud last year to study fraud carried out beyond the click and publisher levels. What it found was that device-ID reset fraud is carried out on a massive scale globally, accounting for 51% of all mobile app install fraud.

Appsflyer's $2.2 to $2.6 billion estimate for install fraud comes from DeviceID Reset Fraud: The New Threat to Mobile App Marketers, a report released by the firm in September. Data in the report shows that 16 of the top 100 networks are “significantly exposed”.

Ronen Mense, VP Asia for AppsFlyer, tells Campaign that device-ID reset is being carried out on a "marathon level" at phone farms, with North Pacific Asia and Southeast Asia showing the highest share of fraudulent installs coming from device-ID resets.

The data do not provide a breakdown by country. “What I can tell you is that we know most of the devices in this earth are manufactured in one place, and we know that there’s this one place which also has access to this farm, with cheap electricity,” Mense says.

Andy Fan, CEO and founder of RTB Asia, based in Shanghai, provides more clues. “The proliferation of used mobile devices in China provides fertile ground for device farms,” he says. “Because there is no centralised Android store like the Google Play Store, third-party Android app stores, coupled with our Android-heavy market structure and fragmented publisher networks, facilitates fraudsters’ activities.”

AppsFlyers’ report has another finding that might raise the eyebrows of advertisers: iOS and Android are equally vulnerable to device ID reset fraud, albeit to varying degree across regions and markets.

For example, the share of device ID fraud in Southeast Asia is seven times higher on Android than on iOS. “If you look at the industry, the volume of Android devices far outstrips iPhones," he says. "That explains the higher incidence of fraud on Android. The cost of commiting fraud on iOS is higher because the devices cost more, but the returns are also higher." Market dynamics must also be taken into account, he says; for example, Japan is 60% to 70% iOS, whereas China is 80% Android.

The top categories targeted involve apps that are mass-marketed, Fan says. "If you look at something such as an RPG [role-playing game] app, the user profile for targeting is very niche, compared to a travel app,” Mense explains. “It’s always a mystery to me why a flashlight app exists, why it requires WiFi connection and access to your phonebook," he adds facetiously. "It’s usually not what you think it is.”

A blind eye?

Despite being mentioned as a new threat in AppsFlyer’s report, device-ID reset fraud has been on the radar of ad networks for some time, S4M’s Buxton notes. However, awareness among marketers has been lacking.

“There are marketers who want to buy app-install traffic at low CPI [cost-per-install] rates and do not want to question the legitimacy of the traffic for the price they are paying,” says Buxton. To that extent, the marketers are complicit in the fraud as they are likely to be aware that traffic is prone to fraud, but high install rates will boost their app’s ranking in the store and eventually draw organic installs and real users. “By this logic, there is no effort from marketers to investigate this source of app-install traffic," he says. "They are not ready to pay more for qualified app-install traffic.”

RTB Asia’s Fan points out that many marketers take it as a given that the traffic that they buy will be fraudulent, but few realise the extent of the problem and are confused by results from different publishers. “They may think that the fraudulent traffic is only 30% when in fact it is 70%. Sometimes, the fake traffic from Android can be as high as 80%,” says Fan.

In terms of its impact, device-ID reset fraud results in a waste of marketing budget, just like any other type of fraud when advertisers pay for phantom users, says Jayesh Easwaramony, SVP and MD for APAC, Middle East and Africa with InMobi. The good news is, device-ID reset fraud is relatively easy to detect and combat, he says.

InMobi maintains a database of device IDs, which the company cross-checks with the inventory of a new publisher that joins its network. “If the overlap is less than 5%, we will reject that because we know that the device IDs are being created by the publishers,” says Easwaramony, adding that bigger players are more advantaged due to the scale of their reach. “For our key markets such as Singapore or Hong Kong, we would have a database of 5 to 6 million device IDs, reaching almost 90% of the smartphone base in that market. So it is very unlikely that the publisher would have a new set of device IDs. Obviously different players would have their own methods, but the only way is by maintaining a database of many sets of device IDs." The only issue, he adds, is the lack of a benchmark parameter for the networks.

Fan agrees that checking publishers’ inventories is helpful in detecting fraudulent IDs, besides looking at overall data history. “If we only look at data from campaign to campaign, it [the data] is not comprehensive enough," he says. "But the issue is most publishers in the market have some issues on their inventory, and it won’t be fair to them to outright reject them." AppsFlyer also uses a similar approach through its device-ID rankings. Mense declines to reveal the method in detail, saying that it is akin revealing all the cards to the fraudsters. 

S4M’s Buxton, meanwhile, says the idea is to simply identify indicators for fraudulent device behaviours, compared to those of real users. “We can observe the frequency and historic data of instances when the device ID has appeared in other bid requests, and we can also observe the app usage and install history via the SDK data,” says Buxton. He calls on marketers to establish an impenetrable media supply chain to fight device-ID fraud effectively, through consolidating the impression to a click and finally an install on a unified platform. “Each install should be qualified at all levels of human action to be considered delivered," he explains. "Marketers should forget about last-action attribution and insist on checks along the entire user journey.”

Nitty-gritty aside, AppsFlyer’s Mense maintains that the onus rests on marketers to have a zero-tolerance policy toward fraud to address the industrial scale of the operation. “What I have been doing is to set up a fraud appendix, to give marketers the ability to set their own thresholds according to their requirements,” says Mense. “For example, they can set to only accept installs from iPhone 6 or higher. Once the KPI is breached, they are alerted as marketers, and they in turn alert their partners.” That approach, in a way, ensures that all parties consolidate their effort to fight fraud, he adds.

New tricks on the block

On account of that, most of the experts Campaign spoke to agreed that although device-ID reset fraud presents a real threat, it can be handled rather easily. What they are relly worried about are the more sophisticated methods, such as click-injections, in which app installs are attributed to the wrong developers through the last click. In fact, RTBAsia's Fan believes that attribution fraud such as the above will loom over 2018.

The trouble with such fraud, says Rohit Dadwal, APAC managing director of the Mobile Marketing Association, stems from the legacy from desktop advertising and marketers' obsession with clickthrough rates as a metric.

"Attribution fraud exploits loopholes in industry standards for last-click attribution in such a way that the spamming source gets credit for the last touch on conversion. This is troubling, given that attribution fraud has significant implications on how and where marketers are allocating their ad spend. " says Dadwal. He points to the fact that 80% of marketers used CTR more regularly than any other metric, according to a poll of marketers by MMA cited in a SMoX Cross Marketing Attribution Report in March 2017.

He further adds that mobile app spoofing, an in-app fraud, present another challenge to mobile marketers, given that mobile ad revenue from apps was higher than mobile web in almost all APAC market. Similar to domain spoofing, where fake sites are disguised as premium, mobile app spoofing occurs when the app sends a fake bundled ID to cause ad impressions generated on the app to be misrepresented. "Not only might this damange the reputation of the original or imitated app, mobile app spoofing also threatens user security and might expose the user to malware," Dadwal says. 

Eyes on the prize

S4M's Buxton believes that since mobile devices are now extensions of consumers' brains, all efforts to fight fraud and nurture the medium as a legitimate advertising channel are worthwhile.

“Our view is that mobile will continue to grow as the forecasts predict," he says. "For brands, this channel represents huge untapped potential because it is the only medium that can provide valuable real-time location insights to deliver tailored services. Leveraging these data to deliver curated mobile ads that render a service and personalised content is the key to avoid ad nausea for mobile users."