Why Mobile Malware Could Destroy Your App

In-app advertising is rapidly becoming the crown jewel of digital marketing, but it’s a sector at serious risk. Mobile malware designed for ad fraud is a substantial problem. It not only irritates device users and wastes ad budgets, but can be devastating for app developers. Not only can “lookalike” apps trash hard-won reputations, but scammers can indirectly hijack legitimate apps. Google may then remove the apps from the Play store, with disastrous financial consequences for the app developers.


In-App Ads: The Place To Be

It’s no secret that consumers are spending more of their online time on mobile devices rather than traditional computers but it’s easy to underestimate the implications for advertising:

— As early as 2017, advertising became the dominant source of revenue for app developers, ahead of app sales and in-app purchases. Forbes reported 55% of all app revenue was from advertising, a figure that rises to 76% among non-gaming apps.

— Total spending on in-app advertising is forecast to triple in the space of five years, passing the $200 billion mark in 2021. AppAnnie notes that more than half off all digital ad spending is assigned to in-app ads.

Mobile in-app see the largest share of digital budgets today with 22.3%. Forrester also reports that 92 percent all advertisers and agencies expect to increase their budget for in-app advertising in the next year, with almost one in three expecting an increase of 6% or more.

— Revenue is rising because in-app ads work. An Ipsos survey found people who saw an in-app ad were more likely to remember its content and message than those who saw it on a mobile browser or a desktop computer.


shift to in app ads


Fraud The Biggest Threat To In-App Marketing

Malicious or compromised apps are designed to secretly rack up bogus clicks and page views in the background. The only way device users know something’s amiss is when their data allowance mysteriously plummets, their battery life is shortened, or their phone overheats. Advertisers suddenly find that rather than reaching their perfectly honed target audience, they are paying for clicks where there’s nobody viewing the ad at all. And network operators have to deal with complaints from users who pay for a data package and find it drains quickly without explanation.


How Malware Ruins Apps

Let’s take one mobile malware incident to see how this all works. The Android app Vidmate was a huge success with 500 million downloads but it is no longer available in the Google Play Store.

The big problem was that once active on the device, Vidmate loaded a third party software development kit (SDK) called Mango. As well as the all-too familiar fake clicks and invisible page views, Mango was also signing users up to premium digital subscription services charged to their airtime balance. It was a sophisticated operation that simulated the user actively clicking their way through the sign-up and confirmation process.

Once Secure-D discovered and highlighted this rogue activity, all traffic coming from Vidmate stopped overnight. As an app, it was effectively dead.

This is far from a one-off. Google removed 700k malicious apps from Google Play Store in 2017 clearly showing that malware is hidden under popular apps in Google Play. And it is an epidemic affecting millions of users worldwide. In 2018 alone Secure-D identified 22 million unique users in Brazil whose device was infected with mobile app malware. It’s not limited to one country either. The equivalent figures were 7.2 million in Egypt, 6.9 million in South Africa and 3.2 million in the UK.


App Developers Pay The Price

Sometimes legitimate app developers are as much a victim of such scams as device users.

That looks to have been the case with online file hosting and filesharing app 4shared. Secure-D revealed it was making bogus ad clicks in the background. The culprit was a compromised SDK called Elephant Data.

4shared’s developers stated that they were not aware of the background activity of the app, and that they had removed the Elephant Data SDK in the new release of the application.

Even where the app’s developers have nothing to do with the malware, they can still suffer serious reputational damage. Users who see unexplained data use or battery drain because of the relentless background activity will blame the app and publish negative reviews.

If and when the malware is uncovered, there’s even the threat of Google banning the app from the Play Store. This will destroy its potential audience in an instant: without the exposure and ease of installation from Google Play, few device owners will find and risk installing it from other sources. And without a solid user base, monetizing an app through sales, in-app purchasing and advertising becomes as good as impossible.


Fraud Keeps Advertisers Awake At Night

The pain continues with the advertisers themselves. Such scams cause double damage:

  • Brands can suffer serious damage when their (legitimately placed) ads get associated with the scams, however unfairly.
  • A significant part of ad budgets is effectively wasted paying for fraudulently reported activity that doesn’t actually involve any human seeing the ad.
  • Even if advertisers get refunds for the supposed views and clicks that were the work of bots, it’s a time-consuming process chasing up the lost revenue.

Compared with other forms of digital marketing, in-app advertisers aren’t worried about traditional headaches like effective targeting. Instead the biggest concern is mobile ad fraud. Forrester reports that 52 percent of brands say fraud is a key challenge for in-app ads.


SDK & App Spoofing A New Threat

In other cases app developers are the victim of SDK spoofing. That’s where a malicious or compromised app poses as a legitimate app when dealing with attribution systems.

With SDK spoofing, malicious code in the rogue or compromised app manipulates the system to falsely claim the credit (and payment) for various forms of attribution such as clicks and ad impressions of a legitimate app.

That’s terrible news for that app’s developers. At best they get dragged into controversy as device users complain about the malware. In extreme cases, the legitimate app can be booted out of major app stores.

An associated scam is called app spoofing. That’s where a rogue app poses as a legitimate app when bidding to carry advertising. The rogue app benefits from the reputation and value of the legitimate app, thus being more likely to win the rights to carry the ads at a premium price. Again the advertisers are wasting their money paying for fraudulent ‘traffic’.


The Fight Back Starts Here

Mobile malware is an epidemic that hurts legitimate app developers, advertisers and app users alike. The incentive to carry out such scams will only grow as the in-app advertising boom continues. Secure-D recently took a major step to tackle the problem by releasing the first ever mobile malware analytics platform.

The Secure-D index covers 1,500 known malicious or compromised apps with a combined 13.5 billion downloads across 17 markets. It’s free to access and includes the very latest details on the status and availability of the apps and the size of the threat. As well as aiding users, the index is designed to give app developers an easy way to check if their app has been identified as suspicious by Secure-D.

It’s all based on a simple philosophy: transparency and easy access to relevant information is the biggest step against mobile malware.