fraudulent charges, malware, misled users, mobile ad fraud

Let’s be frank: without mobile advertising, many tools and services that make users’ lives easier wouldn’t be viable. Unfortunately, that creates multiple opportunities for fraud, keeping the cybersecurity sector on its toes.

Mobile advertising fraud is a catch-all term for a wide range of scams. The best way to categorize it is to imagine the normal flow of mobile advertising: the advertiser produces an ad; the publisher delivers the ad; the end user views or clicks on the ad; and the advertiser pays the publisher for the view or click. Mobile advertising fraud is any operation where the fraudsters inserts themselves into this process without permission and collects the payment.

It’s particularly disruptive because it has multiple victims.The advertiser wastes money on ads that are never seen by the intended audience. Legitimate publishers lose trust with advertisers and may lose business or have to lower rates. And the end user often has an inferior experience and may face unexpected data costs or even fraudulent charges.

It may be tempting to categorize mobile advertising fraud by whether the target is mobile browsing or apps, but in reality, the fraudsters themselves are often platform-agnostic. A better way to group them is whether the fraud involves fake users, real users, or fake attribution data.

 

Fake Users

Type #1: Malware

Malware creators use all manner of tactics to carry out ad fraud. These include:

— App bots that simulate users clicking on ads. Sometimes the bots even simulate a user selecting expensive products and putting them in shopping carts, meaning the fraudsters claim higher rewards from advertisers.

— Malware that monitors a device for legitimate app installations and immediately fires off a fake ‘ad click’ to falsely claim credit (and royalties) for having led the user to the app.

malware method

 

Type #2: Click Farms

Click Farms are a brutally unsophisticated form of fraud where workers – usually in economically challenged regions – are literally paid to download and interact with apps to artificially inflate the costs to advertisers.

 

click farms1click farms2

 

Misled Users

Type #3: Hijacking

Hijacking involves manipulating code so that a user who intentionally clicks on an ad is instead redirected somewhere else. While the fraudsters effectively steal the ad revenue, the user is frustrated, and a legitimate advertiser misses out on a potential customer.

 

click hijacking

 

Type #4: Ad stacking

Ad stacking exploits loopholes to effectively layer multiple ads on top of each other. Although only the top ad is visible to the user, a click on this ad may count as a click on all of the ads.

 

ad stacking

 

Type #5: Invisible ads

Invisible ads are where malicious middlemen come between app users and advertisers. The most common method is through apps that, to the end user, appear to operate as expected. In fact, the apps are doing all the work of collecting and preparing in-app ads (and collecting the advertisers’ money) but not actually displaying them on screen. In turn the app can ‘carry’ far more ads than users would consider acceptable if they actually saw them.

invisible ads

 

Fake Attribution Data

Type #6: Click spamming

Click spamming involves compromising the flow of data between app users and the servers that assign revenue based on which ad took the user to the app. The fraudsters inject a barrage of records that combine real device IDs with bogus ‘clicks’. The sheer number of times they do this means eventually the bogus records match up with a real user installing an app, at which point the fraudsters claim the credit – and the revenue.

 

Hurting the end-users

Naturally much of the attention of mobile advertising fraud is on two victims: the advertisers who waste their budget and the publishers who lose revenue. What’s often not mentioned is the third victim: the end user.

At best some of the scams mean users see unwanted ads and their attempts to engage with genuinely interesting advertisers are frustrated. At worst ad frauds such as invisible ads or ad stacking can lock up valuable computing resources on their mobile device or even eat into precious data allowances.

In the most extreme cases, fake apps don’t just earn ad revenue for fraudsters. They can also sign the user up for premium services that cost them a small fortune. Some of these fake apps can even overcome CAPTCHA tests and intercept the user’s PIN code to overcome the security measures that are mean to stop unwanted premium sign-ups.