Mobile ad fraud’s meteoric rise should make any app marketer anxious. But advertisers, publishers, and end-users can all avoid being victims if they know what to look for and what to avoid.
The issue drives loads of discussion but there’s loads of misinformation out there. Just Google ‘how to stop mobile ad fraud’ and you’ll get page after page of top tips – many of them outdated or simply untrue.
Education and awareness are essential first steps if we’re ever going to stop ad fraud in its tracks, but myths and misconceptions play straight into the hands of fraudsters.
Here we’ve gathered mobile ad fraud’s top four fallacies for end users, with some lab-tested advice to help counter them.
Myth #1: You can trust any app listed on Google Play
Users trust the Google Play store and for good reason. It’s the official app store for one of the two most recognisable names in mobile. And nobody would be daft enough to mess about with the planet’s premier tech giant, right?
Wrong. While of course, Google has stringent security tests in place to keep malware off its app platform, they aren’t 100% effective. According to the Secure-D report on mobile ad fraud and malware, 32 out of the 100 most active malicious apps of 2019 that Secure-D blocked are still currently available to download on Google Play.
User reviews and scores – a sort of crowdsourced way to assess if an app is legitimate – can also be gamed to trick users into downloading. Fraudsters sometimes use bot networks to egg-up an app’s user ratings, giving them artificially high scores and even posting automated user comments saying how great they are.
In other cases, the apps themselves are designed to misbehave. Secure-D found one popular weather app was stealing user information and perpetuating ad fraud.
The app had an average user rating of 4.4 out of 5 and had been downloaded more than 10 million times. It had passed the Play store’s vetting process and was assumed to be so safe that it came pre-installed on many Android handsets
Another popular Android app called 4shared was abruptly removed from Google Play last year. Secure-D discovered that 4shared was triggering suspicious background activity, generating fake clicks and attempting to sign users up for unwanted mobile data subscriptions.
Before its sudden removal from Google Play, 4shared had been downloaded over 100 million times.
Despite those high-profile hacks, Google Play is still a better place to download apps than an unofficial store. The key is to be aware of risks and take steps to protect yourself.
Myth #2: Pre-installed apps are perfectly safe
While device manufactures are extremely careful about the apps they pre-install on smartphones, cybercriminals have still found ways to compromise them. One of the most popular attack vectors is to undermine the software ‘supply chain,’ meaning they hack the software companies that build the apps and secretly add their own malware. The phones are then shipped with malware pre-installed.
This was the case when Secure-D uncovered the compromised weather app mentioned above. It had been pre-installed on low-cost Android smartphones that were being sold in emerging markets.
In another case, researchers have discovered compromised pre-installed apps that can’t be uninstalled by the users. For example, system or software updates related apps.
Myth #3: If it doesn’t affect performance it’s probably OK
There are also apps that, while not in the outright malicious category, are dodgy and should be avoided. They leak personal information like location data, phone number, emails and contacts, which fraudsters could use to engage in identity theft or phishing scams.
In one recent example, a locator app was found to be exposing the personal data of users. There didn’t appear to be a deliberate attempt to defraud users by the app’s developers. Still, misconfigured database servers and unsecured cloud storage meant private user data was vulnerable to unauthorised access.
In another example, a vulnerability in a dating app allowed anyone to find the personal information, chat data, private photos, and real-time location data of any of the app’s 1.5 million users.
Myth #4: iPhones are basically safe from malware
Apple has earned a well-deserved reputation over the years for protecting end-users from malware, and many people still perceive iPhones and iPads to be more secure than other mobile devices.
It’s true that Apple’s review process for the App store is particularly demanding. Unlike Android, iOS is a closed system that end-users can’t modify (without breaking Apple’s user agreement). And iOS powers fewer mobile devices compared to Android, meaning cybercriminals see Android phones as a softer target.
Despite all that, fraudsters have still found ways to infect legitimate iOS apps on the App Store.
Last October, Apple removed 18 apps after it was discovered they contained malicious code that secretly clicked on ads, quietly signed-up users to premium services they didn’t want, or deliberately overloaded websites.
In another case, hackers were able to bypass Apple’s App Store to distribute compromised versions of popular paid apps to other users, including Spotify, Angry Birds, and Minecraft.
Researchers have recently discovered several hacked websites that have been attacking iPhones. The infected sites installed spyware on victims’ devices over a two-year period, gaining unlimited device access privileges. Once installed, the spyware could monitor live location data, and could access photos, notes, contacts, call history and SMS messages. Worryingly it could also access passwords and authentication tokens stored in the iCloud keychain.
Stay safe out there
As any popular crime drama will tell you, separating truth from fiction isn’t always easy. There’s a lot of fake news out there, and the industry discussion around mobile ad fraud is full of it.
The critical take-away for end-users and advertisers alike is to be cautious. Forewarned is forearmed, and there are no dead certs when it comes to privacy and mobile security – other than the absolute certainty that the next fraud is just around the corner.