mFilterIt
Contact Us
mfilterit

Expert Opinion

click-injection

How to Tackle Click Injection?

Leave a Comment / Blog, Ad Traffic Validation /

In the click injection, Click is injected where a malicious publisher(apps) on the phone notices that the “ABC app” is being used by the customer and fires a click in the background. As the user is browsing on the “ABC app”, the click has been sent and the order captured. Hence, the attributes are manipulated, and payment is made to the wrong media source instead of the actual (and deserving) source. There are two levels of attribution: Click to Install Attribution: If a user clicks on an ad, we need to track the validity of that click that led to the installation or conversion. For example, a 7-day or 14-day attribution is considered a standard attribution window in many performance campaigns. If a click has been performed within the set attribution window, the click is valid for attribution, and the publisher that fired the click will be attributed to the install. Install to Event Attribution: The subsequent events after the installation are tracked, including add-to-cart, sale/purchase, booking, etc. The attribution window can also be defined from installation to the sale/purchase event. For example, many performance campaigns, from installs to a sale event, can vary from 24 hours to 30 days, depending on the advertiser’s marketing strategy. Steps Fraudsters Use in Click Injection: Fraudulent app installed on phone. When a new app (Advertiser app) is installed, fraudulent apps and other apps also get notifications through installation broadcast. This broadcast is essential to create a tight connection between different apps. The malicious app installed in the phone keeps performing its unsuspicious action until it listens to an Install Broadcast. Fraudulent apps push manipulated clicks. This click seems genuine as it has the device’s id and other records of the targeted device. Ads attribution services start tracing clicks in reverse chronological order and therefore determine the Fraudulent app’s click as the last-touch click and attribute this event to this fraudulent app. In this process, both genuine publishers and advertisers suffer losses. Genuine publishers do not get paid for their genuine efforts, and advertisers end up paying to the wrong channels. Many apps on the Play Store have been caught doing this. The case of Cheetah Mobile is classic in this, where all apps of CM (which were very popular and had millions of installs between them) would inject clicks to steal organic/inorganic installs from other sources. Further, users may unintentionally install a malicious app that performs non-suspicious operations, such as auto-change wallpapers, flashlights, cat-voicing, etc. It would appear harmless to them. These malicious apps are usually available on unverified Android sources for free. Such apps have permission to inject a click to run another application and listen to the ‘install broadcast’. How to Prevent Click Injection? Through Data Analysis: To detect click injection, mobile measurement partners need to track timestamps for when a user started an install (click-time) and when an install is finished on the device (conversion time). With access to this information, we can prove the user’s intent to install came before the fraudulent claim. Therefore, those claims can be detected before attribution, meaning that ad spend is safe from click-injection fraud. If we analyze the data pattern of a click injection, we can find that click-to-install time will always be less than expected. This generally works only to identify the more extreme and obvious cases of click injections. Users may take their own time installing and opening the app, which means that even if the click is injected, the time when the user opens the app can be outside the limit set. Use Google Play Store APIs (Only for Android): Google released Play Store Referral APIs, which provide timestamps of the time of click and download of the app from the App Store. These are more accurate and effective in ensuring the detection of click injections. Unfortunately, it works only on Android and not on IOS. Machine Learning and Artificial Intelligence: These methods seek for accounts, customers, suppliers, etc., that behave ‘unusually’ to output suspicion scores, rules, or visual anomalies, depending on the method. These methods can identify fraud with very high degrees of accuracy. Be Transparent with Publishers/Affiliates: As an advertiser, demand better transparency from your publishers or affiliates. Request publishers to identify all third-party traffic sources. If a publisher seems reluctant to identify his traffic sources, that indicates possible malicious activity and something to look out for. Implement Third-Party Fraud Monitoring: As fraudulent practices continuously evolve, it is challenging to identify all types of advertising fraud and block them in real-time. Implementing a third-party detection system will allow you to identify and block fake activity. Impact of Click Injection Click Injection creates a negative loop where the advertiser continues to pay someone else for the users they would have already acquired organically (or at least through other marketing channels). It captures organic traffic, brands it without the user’s knowledge, and then claims credit for it. It ruins the accuracy of a marketer’s data and impacts accurate decision-making. Few Exceptions: Coupons Sites/Deal Sites: A user adds a product to the cart but then figures out if there are any coupons/cashback available and clicks on the affiliate website later. Retargeting Sites: A user adds a product to the cart but changes his mind and keeps browsing some sites sees the ad and later decides to buy the product, so the time to add to the cart to click is more. mFilterIt’s Role: With its machine learning-based algorithms, mFilterIt tracks the characteristics of each device as per what it should be. The solution includes various situations and environments to detect and protect from various types of fraud. We combine cutting-edge machine-learning technology and a dedicated team of data scientists who endeavor day in and day out to help app advertisers flush frauds from their ecosystem, thus increasing their ROI. Get in touch to learn more about the Click Injection.

How to Tackle Click Injection? Read More »

identifying-click-spam

Identifying Click Spam Deterministically

Leave a Comment / Blog, Ad Traffic Validation /

Within the gamut of techniques resorted by fraudsters to ad fraud, koi dikh is the most common SIVT (Sophisticated Invalid Traffic) method used to spoof the performance. Being the most common technique, 40-50% of the marketing dollars lost due to ad fraud is eaten up by the fraudsters through Click Spam. So how do we tackle Click Spam deterministically? Two main tests are carried out on any campaign to identify Click Spam and its impact. i) Click-Install Time Series ii) Outlier Publishers i) Click-Install Time Series Analysis: In this first essential step, the behavior of click to install is analyzed to understand the pattern over some time. The time gap between the click and the install cannot be comprehensive in any genuine traffic source. A user will click a source and then install an app. It cannot be that a user views a campaign and installs it later after a considerable gap.   On the contrary, in bogus traffic sources, the installs will show abnormal plotting, which interprets as users installing apps after an interval once they click a campaign or an advertisement. Logically, this is never possible. Even if one may argue that the user would have seen the campaign on the go and later decided in spare time about installing the app. Or, a scenario where the user discovers an app while surfing for something and later in the evening decides to install the app discovered during the day. Yes, all these scenarios are real and can result in abnormal distribution on a time series analysis. But this cannot happen in large volumes. These are unique and isolated behaviors that cannot be generalized to the masses.   ii) Outlier Publishers: Data can tell almost everything. The Click to Time analysis cannot determine between genuine and fake installs. There are other factors to consider before establishing Click Spam sources. For this, it is essential to identify the outlier publishers.   A baseline analysis is done by studying the click rates of different publishers running a campaign. Logically, the app should target similar users showing more or less the same behavior. This means the publishers should also get some behavior in their campaigns. A baseline analysis helps understand the expected genuine clicks/installs on a campaign. Historical data analysis is also helpful in establishing a baseline. Once the baseline is established, the click rates achieved by various publishers are plotted. It is understood that the publishers cannot exactly fall on the baseline. Hence, a range of tolerance is defined using a proprietary algorithm that factors several parameters. If the publisher falls within this range, it still delivers valid traffic. However, if the publisher shows performance way beyond this range, it is detected as an outlier, resorting to click spam to spoof the performance. There is no magic wand with any publisher to achieve substantially different results than other publishers. Conclusion: The campaign analysis helps determine the click spam fraud rate and impact unambiguously. Together, these two tests identify the sources fetching invalid traffic, which is a direct dollar loss for the advertiser. Only by blending the analysis of Click to Install time with the identification of an Outlier Publisher, mFilterIt deterministically pinpoints the fake sources, resorting to Click Spam to fake performance and getting paid for non-performance tricking the advertisers. Let’s engage in a detailed conversation on the Click Spam ad fraud technique and how it’s impacting brands bleeding their marketing dollars. Get in touch to learn more about Click Spamming.

Identifying Click Spam Deterministically Read More »

decoding

Decoding mFilterIt

Leave a Comment / Blog, Ad Traffic Validation /

Many times, team mFilterIt is asked one basic but important question. What does the name mFilterIt stand for? In the journey so far, we have seen ourselves evolving by widening our horizons and thus creating an impact growing exponentially year after year. Today, mFilterIt is in its 3.0 version. The story began with making the mobile ecosystem clean and working on various challenges the mobile ecosystem faced. Apps were being built and deployed in millions for which brands were paying to discover users. This is even happening now. The second era for mFilterIt began with the thought of offering holistic solutions. While it is a fact that digital is becoming synonymous with mobiles, yet web is relevant. There are a lot of B2B2C transactions like lead generation for Banks which takes the web route with a direct selling agency in between predominantly. So, to offer a holistic fraud-free digital experience, the web became necessary, and the ‘m’ in our name became more of marketing, while the focus on mobile did not reduce. The relevance and purpose of going digital have changed. Businesses are no longer available on digital for marketing presence and amplification. It is the default business platform for new-age businesses while legacy businesses and sectors are catching up. The mFilterIt team’s conversations with its customers and other partners are now getting beyond marketing, essentially everywhere where there is an element of fraud, and mFilterIt could save money. This is mFilterIt 3.0, where ‘m’ has acquired three meanings:’ mobile’, ‘marketing’, and ‘money’. The proprietary technology of mFilterIt is used to filter the fake and bogus things taken away from the digital landscape to result in a trustworthy ecosystem where the organizations are getting what they see and spend. mFilterIt is confident of its solutions, which can decide between the angel and the evil, signified by suffixing It with Filter. It also adds a flavor of casualness, underscoring the ease of integration that has been the secret sauce of mFilterIt based on the KISS (Keep It Simple, Stupid!) principle. If the solution is not easy for any advertiser to implement, it is no good. These three distinct phases that can identify in the concise but impactful journey of mFilterIt have been filtering ‘mobile’, ‘marketing’, and now ‘money’. With the kind of Digital Transformation journeys different businesses are undergoing, ranging from services to manufacturing, the meaning of ‘m’ would keep on enriching, and our technology will also scale to keep filtering-It the evils of various fraudulent techniques implemented to achieve quantitative KPIs without any intent to complement it with quality. The future is unpredictable, but one can pick up early trends to see how future opportunities could evolve. At a time when we are at the cusp of the 4th industrial revolution or what is known as Industry 4.0, perhaps ‘machines’ is another flavor of ‘m’ that could be attributed to mFilterIt. One can foresee a lot of similarities in terms of potential threats in Industry 4.0 and the Smart and Connected world where brands could use mFilterIt technology. There will be an increasing demand to ‘tame’ and identify BOTs which can do a lot of harm in such scenarios. For imagination purposes, think of a machine’s operational plan compromised with a BOT which could over or underutilize it. Similarly, a BOT could loop electricity on and off for homes and public places. Examples can keep going on. mFilterIt is a listening organization and works in an agile work environment where products keep on improving and adding to their capabilities. Our R&D and product development teams are continuously working on repurposing and re-engineering the company’s core competencies to increase the impact, which results in growth and strengthens the key business parameters. mFilterIt will keep this blend of robustness and agility as guiding factors to be recognized as a thought leader in the space working with the entire ecosystem to build, nurture, and protect a trustworthy digital space where everyone across the value chain gets rewarded for the good by creating a genuine and pure ecosystem which takes the entire digital experience notches up.

Decoding mFilterIt Read More »

brands-vs-bots

Brands Vs BOTs: Importance of Decoding BOT Fraud

Leave a Comment / Blog, Ad Traffic Validation, Brand Safety & Protection /

Alan’s Turning remarkable theory formed the basis of computer science today. His famous test ‘The Imitation Game’ was based on whether a machine can fool us into believing that it was a human. The objective of the game was that the interrogator while sitting in a separate room had to identify which of the other two was the person and the machine. The interrogator knows the person by labels ‘X’ and ‘Y’ and does not know which of the other person and the machine is ‘X’. Alan Turning’s argument was that if a human cannot tell the difference between a computer and a human then we should call the computer intelligence. Alan Turning’s test is turning out to be true in today’s world. Almost half of the online traffic is BOT generated. This has led to adulterating the quality and genuineness of engagement driven by various platforms such as financial services, healthcare, travel, and e-commerce among others. It has not left any industry unaffected. In the advertising industry, due to fake BOT traffic, advertisers are losing millions of dollars each year. Fraudsters are becoming more advanced in their workings. They find new ways and activities to inject fake clicks or use bots to generate their revenue. The ability of bots has increased in the past few years to mimic human online behavior. As the line between humans and BOTs blurs, our suspicions are raised; so how do we get to know that real humans are clicking on our ads or installing our apps? The answer to this question is very complicated as there is no clear way to know whether the real human is clicking on the ads or not. How does BOT fraud occur? Fraud publishers use BOTs to send multiple clicks to the landing page or to fill multiple leads to earn money from advertisers. BOTs avoid traceability by changing the IP address presented at the time of the transaction from the original IP address of the device, which is either hidden or tampered with. In the absence of any fraud check, the advertiser ends up paying for fake clicks or installs. 2 Different Kinds of BOTs BOTs are trained to do multiple things at the same time. There are two kinds of BOTs: Good BOTs: They are used to gather information. BOTs in such disguises are called web crawlers. Good BOTs are used to interact with customers in an automatic form. Bad BOTs: Bad BOTs or malicious bots are self-propagating malware that infects its host and connects back to a central server(s). The server functions as a control center for the network of BOTs. These BOTs can gather passwords, obtain financial information, relay spam, log keystrokes, launch DoS attacks, etc. How to make sure that you are paying for genuine traffic? Paying for genuine traffic is never easy when it comes to performance marketing campaigns. Since the Alan Turning test, not much has changed apart from the real human interrogator, now we have technology solutions that act like an interrogator and help us identify the BOTs traffic from a genuine one. mFilterIt ad fraud solution helps in identifying invalid traffic due to ad fraud in your campaigns by using different kinds of algorithms. Get in touch to learn more about the Importance of decoding bot fraud.

Brands Vs BOTs: Importance of Decoding BOT Fraud Read More »

ad-bot-fraud

How Could Ad Fraud Land You Up Dating BOTs?

Leave a Comment / Blog, Ad Traffic Validation /

Unaware of the complexities in tech, users end up interfacing with machines. Ad fraud is seen from a very myopic and transactional view by the entire ecosystem. Due to this insensitive nature of advertisers and publishers, an ordinary user of the service or application suffers. As per media reports, the latest buzz in the app world is Gleeden, a French dating and social networking service primarily marketed to women. Its success in India is also skyrocketing. With over 8 Lakh users in India, the app witnessed over 300% increase in subscriptions compared to the previous couple of weeks. That’s a joy ride for the app! BOT-driven users and traffic have been degrading the quality and genuineness of engagement driven by various platforms offering e-commerce, financial services, healthcare, travel, social networking, dating, and whatnot. This is literally ‘burning’ money of the entire digital value chain, including the investors who put money into growing ventures to help them scale up. But what is more damaging and consequently far-reaching is the overall experience of any user who is seriously looking at the service or value offered by the app or service. Imagine apps and use cases like dating, etc., where users come up with more of an emotional reason and look for satiating very intangible feelings. If the users on these platforms are either BOTs or the profiles are not validated, which aren’t, the whole reason for being on the platform is jeopardized. Some people also get extremely serious about these services, and the engagement could be beyond a superficial connection. In that case, a person is emotionally drained and heart-wrenched upon learning that the engagement has either been with a BOT or an imposter. This is a considerable brand safety issue where the credibility and reputation of the service go for a toss. Retail or financial services need to be careful about ad fraud and brand safety. Still, it is also equally important for platforms like dating and social networking apps to have a clean and trusted user base leading to genuine engagement. Digital platforms cannot do without inorganic growth. They will have to continue spending on Performance campaigns to get the platform discovered and potentially acquire users. However, it needs to be done with precaution to ensure that we are not paying for something that is fake and can rip apart the platform’s reputation at any stage – from acquisition to re-engagement. There is an old saying, “Precaution is better than cure,” A cure is always expensive and unsuccessful in reversing the damage. Ad fraud is one such classic example where even increasing budgets on damage control will not yield the desired results because one single bad experience makes its eternal mark in the minds of a prospect or a user. That’s the extent of damage ad fraud can cause to the safety of a brand. Get in touch to learn more about Ad Fraud on Dating Bots.

How Could Ad Fraud Land You Up Dating BOTs? Read More »

app-ad-fraud

App Ad Fraud Continues to Be On the Rise in India

Leave a Comment / Blog, Ad Traffic Validation /

India witnessed mobile ad fraud of over Rs 573 crore during Q3 2019 over fake installations. A recent report by Sensor Tower ranked India as the country with maximum app installs in 3Q (Jul-Sep) 2019. It reported 5 billion app installations for India out of 29.6 billion app installs globally. This is excellent news for the country. However, at the same time, it also means an increase in ad fraud. As per mFilterIt internal analysis, over 273 million fake apps installation during July 2019 in India alone. This translates to a loss of over Rs 573 crore in Performance Marketing spending. Over 15% of the total app installs come through publishers, with an average fake user rate of 35%. Publishers are essential stakeholders in the value chain as they hold and influence particular communities that are potential users of several apps. This makes the engagement of app makers inevitable with the Publishers. At the same time, it is not that all Publishers resort to ad fraud and acquire fake users for the advertisers. Some Publishers get 100% validated genuine users to the Advertisers. For marketers, the key to success is engaging with a neutral ad-fraud solution that can validate the KPIs claimed by Publishers in an unbiased way. With too many apps available to users and the app ‘real estate’ becoming increasingly precious, it becomes equally essential for advertisers to engage with genuine users who not only install an app but also keep the engagement on. With the valuation models changing for businesses, the user base no longer remains the only factor to gauge success. How engaging the users are with an application is the most critical part. There is an increasing challenge of Brand Safety, which comes with ad fraud. The organic traffic stealing misaligns the brand positioning and raises doubts about the performance of organic marketing, which does not come cheap. Also, organic performance is much more robust and has long-term implications for the brand. To conclude, advertisers must engage with Publishers and even have a reward system for the best partners. However, the performance cannot be judged by looking at attribution results alone. There has to be a neutral third-party validation that brings transparency to the system. That’s the most straightforward resolution of the issue. Get in touch to learn more about Ad fraud in India.

App Ad Fraud Continues to Be On the Rise in India Read More »

app-ad-fraud

Apps Ad Fraud: Stealing an App Install after Install

Leave a Comment / Blog, Ad Traffic Validation /

With the push towards higher and higher KPIs and engagement checks by advertisers for their App Install campaigns, it has become more and more difficult for publishers to generate revenue simply on the trading game. The alternative: Resort to Ad Fraud. Till recently the Click Spamming fraud whereby fraudulent publishers would fire thousands of fake clicks continuously to capture organic traffic was the way to go for publishers to generate revenue and at the same time provide fantastic quality and meet KPI benchmarks for advertisers. We have recently come across new fraud in the App Install (CPI/CPR) advertising campaigns driven through affiliate networks where Organic and Inorganic installs driven through other networks/publishers are being captured and converted to your name! It is an amazing process of simply stealing an install attribution right at the very last stage of the attribution cycle : Capturing the Install AFTER the Install has been done!! When an app is installed and opened, only then does an attribution platform tracking get enabled. This is part of the Android OS restrictions whereby an app is not allowed to execute simply upon being installed. However, after an app is installed (organically or inorganically), and BEFORE it is opened by the user, there is a small time. Typical studies done by us indicate an average gap of 10 seconds between an install and actually, the app is opened for the first time. This increases substantially for larger-sized apps (since users will typically start doing something else while the download is happening). Now, many publishers have malicious apps that detect the installation of an app on the device (Android actually has a basic API to allow other apps on the device to know about a new app install!) and trigger a ‘fake’ click from the background AFTER the install but BEFORE the user opens the app. Simply by this one fake click, the install has been STOLEN from organic or even other inorganic channels! The reason? Attribution platforms attribute the installation based on the last click received. In this case, the last click was received by this fraudulent publisher overwriting the organic attribution or even the inorganic attribution of some other network! Since the fraud publisher did not have to fire thousands of fake clicks to capture the installation, the CR% (which was a good indication of Click Spamming fraud) will no longer work. Since this will capture both Organic as well as Inorganic installs, the quality of users acquired will be average. So the normal indicators of Click Spamming no longer work. Size of this Fraud : We estimate Click Spamming to be swindling $15m of Ad Spending each year within India. This is an estimate based on the detection we have done for many of our clients and is only an estimated number. Solution: We at mFilterIt detected this fraud in the Indian market as recently as 1 month ago and can track and detect these frauds deterministically as part of our Ad Fraud solution mFilterIt. Many of our customers benefit from this solution and save thousands of dollars in ad spending which are being wasted on paying for Organic traffic or incorrectly captured traffic. mFilterIt is now validating more than 1m installs daily and working with many of the top app advertisers in the country. We aim to provide value and savings to our clients on their Ad Spends which are getting wasted on fraudulent activities in the advertising world. Get in touch to learn more about the Ad fraud in App install.

Apps Ad Fraud: Stealing an App Install after Install Read More »

call-center-optimizer

Lead Predictor & Call Center Optimiser by mFilterIt

Leave a Comment / Blog, Ad Traffic Validation /

mFilterIt has launched its Lead Predictor and Call Center Optimiser tool which will help advertisers “predict” the conversion of a lead in real time!! We will be able to identify which leads are punched-in, fake, or bots as the lead is filled up and block them from triggering the call center itself! Preventing a lead that is fake or punched-in to even reach customer care and hence save costs for the advertiser. The Background : When advertisers run lead campaigns, they generally pay on call center-validated leads. This is done to safeguard against fraud, since only when a lead’s contact number is reachable, the lead will be paid for. Unfortunately in this process, while the advertiser has safe-guarded (but only to some level) the payment of fake and dummy leads, the call-center costs would shoot up. Further, the actual frauds that are currently being done in lead campaigns like : Punched-in leads: leads filled by publishers of genuine users but without the users showing any interest or even being aware of the product or Fake call-center leads: where publishers fill leads with phone numbers belonging to their own call-center users, who will accept the calls but will never actually convert for the brand to bypass the normal scrutiny, since the call from the brand’s call center will always be complete, but no end-gain will come out of it. End impact on the advertiser : 1-Lower final conversion ratio 2-Higher Call Center Costs 3-Higher payouts to Publishers for fake leads How we do it! mFilterIt Lead Predictor and Call Center optimization tool will detect these cases in real-time, which can be used by advertisers to prevent fraudulent leads from even reaching the CRM and further the call center. This means : 1-Immediate lead validation 2-Improved focus on actual genuine leads 3-Lower call center costs 4-Higher ROI and Conversion Rates 5-Lower payouts to publishers And proof point of how good we are? In multiple campaigns, our false-positive rate (leads predicted to be fraudulent end up actually converting for the customer) is less than 0.5%. All this with almost zero tech efforts, a start time of less than 30mins, and many more features of our lead platform like : 1-Lead Data Enrichment to enhance the lead information for better ROI of genuine leads. 2-Email Verification to prevent fake/mistyped email IDs from going into your digital marketing database and resulting in hard bounces and IP reputation issues. 3-mTrackIt, our Publisher Management tool, removes the need for cookies of publishers and eliminates all manual operational activity of onboarding publishers. Many large brands have already shifted their lead campaign to our technology. Reach out to us and see how we can improve your ROI on your lead campaigns from Day#1 with Zero Tech efforts and maximum returns. Get in touch to learn more about the Lead Predictor and Call Centre Optimizer.

Lead Predictor & Call Center Optimiser by mFilterIt Read More »

app-privacy

3 Major Threats From App Piracy That Brands Cannot Ignore

Leave a Comment / Blog, Ad Traffic Validation /

Do you know? 85% of apps can be decompiled and modified to be injected with malicious code triggering undesired behavior of an app with ulterior motives. APPs have become the default interface for users to interact digitally with people, services, and platforms. Globally, an estimated 3 million apps are available on Google Play Store. The common man’s perception is an app is a distinct and infringeable digital asset of an organization. People consider it genuine, especially when it is on a platform like Google Play Store or Apple App Store. However, the fact is that an app can be pirated and can result in App fraud. Techniques like decompiling an app and modifying the package with malicious code lines make an app vulnerable. Essentially three main threats emanate from a pirated app. 3 Main Threats from a Pirated App Compromised Privacy: Irrespective of any such app available over a Play Store or otherwise, if a user inadvertently installs a pirated app considering it to be a genuine version, there is a higher probability of that app being able to access personal data, including contacts, SMS, pictures and other sensitive data that must store on a Smartphone. Ad-Fraud: Compromised apps are used as a medium for fraudsters to control a Smartphone, a publishing medium to fake traffic, users, or events. With malicious code lines put along with the app or digital ads, the fraudsters commit ad fraud by getting impressions, app and even trigger clicks, etc., to fake KPIs agreed with an advertiser whose campaigns are being run. At the same time, ill-practiced publishers steal the organic traffic of mobile apps/browsers to credit any activity a user does to earn the attribution without doing any hard work. In this case, such a publisher reports ‘stolen’ traffic as theirs and credits the attribution to get paid for something they never did. This also demotivates the digital marketing team as organic traffic earned after painstaking efforts is tagged as inorganic. Brand Safety: Another important ramification of a pirated app version is the damage it causes to the image and reputation of the brand. Since the app is compromised, it cannot guarantee its behavior will align with the tenets of a brand, its philosophy, and its guidelines. This means a spectrum of issues. In its simplest forms, the brand, through this rogue app, could be seen as promoting theft of data, infringing on privacy, displaying obscene content, and several similar issues. Since this app is not in the control of the actual brand, it would not act as a responsible digital asset representing it. App Piracy Cannot Be Ignored Unfortunately, app piracy has not been getting its due mindshare from the ecosystem, including governments. There is a need to have strict regulatory guidelines about app piracy for the various damages it could result in, ranging from hampering an individual’s privacy to hurting national interests. While having a national consensus around app piracy is essential, brands cannot and should not wait for the government to intervene. Marketers, every organization, institution, and entity having an app, must keep a vigil on the pirated versions of their apps available either over the Play Store or through non-play store platforms. Android RAT tools like FatRat and other powerful tools like Metasploit help to pass through the security layers of Android by circumventing the security policies and can even bypass an Antivirus and Firewalls, allowing attackers access to a Meterpreter session. These publicly available tools add to the vulnerability of an app where even app permissions are compromised. So, while a genuine version of an app will be genuinely seeking 10 permissions from the device, a pirated version might be taking entirely different or some more critical permissions, which are not required by the app. Still, fraudsters modify them for their ulterior intentions. How Can mFilterIt Help? mFilterIt helps its clients monitor any pirated version created over several alternate app stores and identifies the modification – addition or deletion of permissions fiddled with such duplicated versions. Below are some of the examples to highlight.   In all the above examples, mFilterIt scanned the pirated versions of these popular apps on various APK Stores and identified the modified permissions. This helped the clients take necessary actions and understand the motive behind creating such pirated versions, which ranged from infringing piracy of legitimate users and using these apps for ad fraud. Monitoring pirated app versions is essential for every organization. However, its importance becomes paramount for sensitive domains like government, security, BFSI, healthcare, etc. Consumers need assurance and trust that the app they are installing on their devices is the verified version of the organization or any other entity they are engaging with. There should be a public repository of identified pirated app versions, and consumers must be made periodically aware of fake apps. Get in touch to learn more about the threat of app piracy.

3 Major Threats From App Piracy That Brands Cannot Ignore Read More »

app-advertising-fraud

Using KPI Targets Against App Advertising Fraud

Leave a Comment / Blog, Ad Traffic Validation /

Let’s start this topic with a question from a different universe! Imagine owning a bank and having a vault where lots of money is stored. It has the world’s best security systems safeguarding it. All the tools we see in the latest spy movies are implemented – Cameras, thermal visions, laser beams, explosion protection, retina eye scanners, and fingerprint scanners. All state-of-the-art and best of the breed. Your security advisor comes to you and asks whether we should guard the building where the vault is located with essential security guards and an entry register. A primary access control. Should we spend money on security guards with such excellent protection in the vault? Or should we allow anyone and everyone to come to the vault and try their best to steal from it (in the hope that they will not hack the top-class vault security)? What will be your answer? Performance KPIs-Based Campaigns Don’t Offer Fraud Protection Many advertisers moved to KPIs and goals-based campaigns to better align their spending with their revenue. E.g., CPR (Pay per Registration), 30% of installs should lead to registrations, 20% of installs should lead to wallet top-ups, etc. The aim: Aligning the advertising costs with the business objectives. If an affiliate gives users who carry out transactions, it is worth the expense. But, very quickly, it has also become their line of defense against fraud for many advertisers. Hey, it’s simple. If a publisher is acquiring a user who generates business for me, and that’s when I pay the publisher, why should I bother with fraud? Let there be fraud. As long as I pay for an actual business transaction, I don’t need to think about fraud. That is an incorrect approach to fraud and the topic for this research. Faking Events! Most advertisers depend on attribution platforms to measure and track publishers’ performance and use it to enable/disable publishers who are working and those who are not. Attribution platforms keep track of ‘events’ that the APP raises at specific points of the user journey, which is projected against the publisher to identify the alignment of publishers with end business objectives. E.g., What is the ROI for X publisher vs. Y publisher? But the question is: How is the ROI being calculated? And is it sacrosanct? Can it be manipulated? Our research shows it can!! Attribution platform events can be faked and triggered without actual activities happening on the app. Fundamental is that android is an open OS, and getting root access to change and modify anything is not very complicated. This includes events. The events faked will show up on attribution platforms against the publisher, and the advertiser will get an image of excellent traffic and all KPIs being met. But when the actual so-called ‘sales’ or ‘registrations’ are tracked at the back-end systems of the apps, there will be nothing present! This gets further complicated by silos between marketing and product teams, whereby access to data across teams is restricted. So, if your only protection against AdFraud is the KPIs tracked on the attribution platform, you may be in trouble. Here is a step-by-step guide of what we did : Take an app that is pushing CPR/CPS/KPIs linked campaigns. Decompile the app using standard android decompiles. Find the event’s structure implemented (while tools like prograde make the code unreadable and obfuscated, can understand most of it, simply because attribution platform events are standard and their documentation readily available) Install the app on the phone. Link the network to a proxy analyzer (like Burp Suite etc.). Implement a custom root certificate on the phone, which allows a simple man-in-the-middle attack. This will allow you to read HTTPS communication also. Open the app, and carry out the transaction. You will see the events being fired from the app on the proxy analyzer. You can now read the events being fired. Reverse engineering the event allows you to construct the event’s structure easily. Some attribution platforms implement basic SHA1 encoding on specific timestamps and other data fields, which can be undone once you know the code from step # 2. Remember that you need to do this for an attribution platform only once since the structure of events will mostly remain the same. Now you have an engagement engine in your hands! Link it to a simulated install engine. So you can carry out a sequence of simulated installs and events!! Install the app on a simulated phone (e.g., blue stacks) to fake the event. Remove the app. Modify the device IDs. Repeat. And Repeat. Your engagement KPIs will be 100%. The advertiser will be delighted! The Problem is in the Approach!! The basic approach to advertising in this scenario is wrong. You cannot allow fraudsters to reach your systems and try to manipulate them. You cannot expect the end goal of KPIs to protect you against fraud (to clarify, KPIs to track publishers is still a great idea, but thinking that it also protects you from fraud is incorrect). There must be a multi-layered fraud protection system in place; otherwise, you are at the mercy of fraudsters continuously trying to hack your systems and find a loophole. With due regard to attribution platforms, any and every system globally is susceptible. And no system is fool-proof. When a fraudster understands that the only thing stopping him from earning money is some events being tracked on a platform, he will find a way to hack it. Advice: Invest in the Security Guard!! The bank (in our leader story) decided to have security guards at the building so that only controlled people could enter the bank and reach the vault. This substantially reduces fraudsters’ access and the opportunity to try their tricks to hack the system. Also, if they still hack it, they leave identifiers (e.g., register entries at the bank, etc.) behind, resulting in them being caught. It does not matter if the vault is heavily protected and has the best security in place. Advertisers need

Using KPI Targets Against App Advertising Fraud Read More »

Scroll to Top