By Amit Joshi on April 10, 2017
Originally posted on eMarketer.
Q&A with Amit Joshi, Director of Product and Data Science Forensiq.
Fraudsters follow the money trail, which now leads to mobile’s two advertising channels—mobile websites and apps. Mobile apps are particularly appealing to fraudsters because in-app inventory commands premium prices, and because the industry has lagged behind in offering app-specific fraud detection services. eMarketer’s Cathy Boyle spoke with Amit Joshi, director of product and data science at fraud detection platform provider Forensiq about some of the fraudulent practices used in mobile apps, and what advertisers can do to protect themselves.
eMarketer: Broadly speaking, can you describe the state of ad fraud in mobile advertising?
Amit Joshi: Fraud in mobile is quite pervasive. Based on research I’ve been doing, it could be anywhere from 10% to 30% [of impressions].
Fraudsters follow the money, and the money is definitely flowing into mobile. It’s a gold mine for fraudsters because the industry, as a whole, is behind in terms of protecting itself from mobile [invalid traffic] IVT.
“Fraudsters follow the money, and the money is definitely flowing into mobile. It’s a gold mine for fraudsters.”
eMarketer: What’s holding the industry back from introducing the necessary fraud protection services?
Joshi: Vendors have been focused on the web space, but there hasn’t been enough time for most vendors to build a suite of mobile services. What a lot of them are doing is taking their desktop web suite, applying it to mobile and saying, “It works.” But that is definitely not the case.
Mobile web is a little bit easier to crack because it’s so similar to a desktop, but in the mobile app space there are more issues than just invalid traffic. There are issues around measurability and the execution of in-app tags. These issues aren’t as much of a problem on the mobile web or the desktop side.
eMarketer: Can you expand on the issues companies like yours face with mobile apps? Presumably some are technical, right?
One solution is for the app to employ an SDK [software development kit]-based monitoring system, instead of a tag-based monitoring system. But that, in and of itself, is a problem. App developers are reticent to put additional SDKs into their app—they want to avoid making the app bigger. There’s also a distribution problem when it comes to getting someone to load your SDK. SDKs are typically added when apps are updated, which means you have to wait until a significant portion of the app market updates in order to distribute your SDK.
There is also an issue on the algorithm development side, too. All of the verification algorithms take research—looking at the data and verifying that what you’re calling fraud is actually fraud. That all takes time to develop. Because the focus on mobile—in terms of verification—hasn’t followed the spend on mobile, there are some patterns of fraud that are still being missed by vendors.
eMarketer: Can you give me an example of fraud that is unique to apps?
Joshi: One thing that some apps do is cache ads. They’ll request a bunch of ads from an exchange and cache them so that when it’s time to serve a new ad, it will render seamlessly. That’s good in terms of making sure that the user experience isn’t ruined, and most supply-side platforms [SSPs] will only charge advertisers for ads rendered.
But through this practice some “bad” apps commit what we termed mobile device hijacking. They’ll just request and cache a bunch of ads and make it seem as though they were rendered on screen. But they won’t actually show the ad to the user. Or, they might show just 1% of the ads on screen. For the rest, they’ll make it seem as though there was an ad rendered when there really wasn’t.
A lot of times, this is done on real users’ devices. They’d get someone to download their app, and then the tricky thing they do is request certain permissions so they can commit as much fraud as possible. One such permission might be to start an app whenever the phone is started. With that permission, the app can run in the background and continue to load ads even if it’s not in focus on the device. That essentially turns a user’s device into a 24/7 profit center for the malicious app.
eMarketer: How widespread is device hijacking?
Joshi: The problem is on the same scale as botnet traffic in the web ecosystem. Anywhere from 10% to 30% of inventory could be affected by this sort of simple device hijacking.
But even more complex tactics are being used. For example, apps committing fraud might come through a single device, but then have a list of 1,000 different in-app advertising identifiers [for example, Apple’s Identifier for Advertisers (IDFA)] that they can send into exchanges and SSPs. This allows the fraudster to simulate 1,000 different users from one phone.
eMarketer: How quickly are these instances of fraud increasing, and fraudulent practices evolving?
Joshi: It’s definitely changing quickly. What we’ve seen year over year is the more simple methods of fraud get caught, and then more complex methods get employed and become more widely distributed. I expect that trend to continue.
eMarketer: What are some best practices advertisers should use to protect themselves?
Joshi: You need to have your own in-house tool, because ultimately it’s up to you to vet what you buy. The techniques we see are so complicated that you need a team that’s focused on staying ahead of the fraudsters to make sure that your traffic is protected, and you’re getting ROI on your ad spend.
Beyond that, if you’re working with a few different exchanges, you need to understand what programs they have in place. For example, how do they vet the publishers that they allow onto their exchange or network; how, if at all, do they look for and filter invalid traffic. Having that level of understanding is really important.