• Pranav Anand

Ad Fraud Attacks on Gaming Apps



Market research suggests that mobile gaming apps would witness a CAGR of 12.3% between 2021 and 2026. The increment is attributed to the boost in WFH conditions, increased smartphone users, and tech adoption over the last couple of years. The penetration of mobile games through social apps like Facebook has also contributed to the incremental rise in the installation of gaming apps.




The continents with the highest gaming app adoption include North America, Europe, and the Asia Pacific. A NASSCOM study estimated that the potential of the Indian mobile gaming market would reach 628 million users in 2020. The key competitors in the mobile gaming market include Tencent Holdings Limited, Zynga, Activision Blizzard Inc, and many others. The rise in the adoption of gaming apps has increased mobile ad fraud.


Our research reveals that less than 36% of the online traffic includes humans, whereas 64% includes good and bad bots. Mobile ad fraud is a technique used by fraudsters to target mobile advertising (bypassing mobile marketing funnels) for obtaining financial gain. Our research states that fraud in apps can range between 18-36% depending upon the type. These include click spamming, SDK spoofing, incent fraud, IP fraud, geo fraud, etc.


However, these don’t account for the 45% of retargeting ad-fraud in the industry. Fraudsters infiltrative apps to steal paid/organic user credits, trigger in-app events, display false event information, etc. Moreover, ad fraud in mobile apps also hampers brand safety. Elimination of mobile ad fraud is important for avoiding misattribution, losing the advertising budget to fraudsters, and building strategies around real-time analytics.

3 Types of Fraud in Gaming Apps

● CPA Fraud in App


CPA models believe that quality users take action after installing the app. Advertisers use factors like tutorial completed, level reached, and in-app purchases to determine users’ lifetime value (LTV). The CPA model was adopted to diminish the install fraud rates. Unfortunately, fraudsters created SIVT or sophisticated invalid traffic to bypass fraud detection and crush in-app economies.


Advertisers also generate revenue through in-app marketplaces and purchases. Freemium businesses also make revenue through in-app advertising. Advertisers make revenue based on cost-per-sale models created after analyzing premium users. Fraudsters use ad frauds to obtain the cost per action through in-app ads as the fixed percentages or rates provide high payouts. CPA campaigns are believed to be robust as it deters ad fraud because the general notion assumes that it is difficult to replicate in-app user behavior as compared to faking an install.


Unfortunately, the bad actors are far smarter than that. The fraudsters not only use bots to create in-app events, they go a step further and steal credentials such as account info, credit details of real users (both organic and paid) who are likely to be far more active within the app.


● Attribution Hijacking


Publishers commonly work with attribution models for tracking events like installs, purchases, link clicks, etc. The fraudster acquires credit for the first/last click before the event, commonly installed in gaming apps. By doing so, fraudsters obtain revenue from advertisers in exchange for the fraud credits. The method affects organic and inorganic users equally.


Install hijacking is commonly practiced by injecting false referrals or delivering false click reports. Users that click on an install app are redirected to the Play Store, and whenever the user installs the app on the Android device, the other apps are alerted through Standard Android Broadcast.


Any malware installed through another app installation is triggered and builds a fake click report with install attribution towards the partner, even though it came from a media partner. Attribution hijacking is commonly witnessed in retargeting campaigns.


● SDK Hacking/AKA Spoofing


Another fraud that happens through existing malware in user devices through app installation is SDK hacking. This bot fraud spoof installs by tricking servers and providing monetary gain to cybercriminals. Brands using open source technology or poor encryption should know that fraudsters use these loopholes for manipulating or reverse-engineering attribution codes.


Besides installs, SDK spoofing can even tamper clicks and other engagement signals. Identifying SDK spoofs requires tracking unused SDKs, watching out for install frauds, and generating a report for fraud exposure. The best methods to avoid AKA spoofing are avoiding open source SDKs, ensuring secure communication between SDKs and servers, detecting behavioral anomalies, and using a solution for bot detection.


One of the largest drawbacks of mobile ad fraud is account takeover (ATO). It has led to implications like cyberbullying of children, loss of money, and data privacy breaches. Moreover, ATO attacks on apps can reward a fraudster instead of a professional with tournament entries and awards. ATO attacks also cause brand infringements, tarnish a brand’s reputation, and flush goodies out of inactive accounts.

Conclusion


The presence of ad fraud in the mobile advertising domain is causing serious grievances for advertisers and marketers. Brands should eliminate ad fraud for building marketing strategies with real analytics, saving dollars on spends, and acquiring real conversions. Combating ad fraud and ensuring brand safety requires a 360-degree solution with specialists available round the clock.


Moreover, the ad fraud solution should have AI and ML capabilities to detect SIVT, analyze anomalies, and scan the web for brand infringement. By incorporating such a technology, brands can ensure a safer digital ecosystem, ad servers, and systems for managing consumer data.



0 comments