Using KPI Targets Against App Advertising Fraud

Let’s start this topic with a question from a different universe!

Imagine owning a bank and having a vault where lots of money is stored. It has the world’s best security systems safeguarding it. All the tools we see in the latest spy movies are implemented – Cameras, thermal visions, laser beams, explosion protection, retina eye scanners, and fingerprint scanners. All state-of-the-art and best of the breed.

Your security advisor comes to you and asks whether we should guard the building where the vault is located with essential security guards and an entry register. A primary access control. Should we spend money on security guards with such excellent protection in the vault? Or should we allow anyone and everyone to come to the vault and try their best to steal from it (in the hope that they will not hack the top-class vault security)?

What will be your answer?

Performance KPIs-Based Campaigns Don’t Offer Fraud Protection

Many advertisers moved to KPIs and goals-based campaigns to better align their spending with their revenue. E.g., CPR (Pay per Registration), 30% of installs should lead to registrations, 20% of installs should lead to wallet top-ups, etc.

The aim: Aligning the advertising costs with the business objectives. If an affiliate gives users who carry out transactions, it is worth the expense.

But, very quickly, it has also become their line of defense against fraud for many advertisers. Hey, it’s simple. If a publisher is acquiring a user who generates business for me, and that’s when I pay the publisher, why should I bother with fraud? Let there be fraud. As long as I pay for an actual business transaction, I don’t need to think about fraud. That is an incorrect approach to fraud and the topic for this research.

Faking Events!

Most advertisers depend on attribution platforms to measure and track publishers’ performance and use it to enable/disable publishers who are working and those who are not. Attribution platforms keep track of ‘events’ that the APP raises at specific points of the user journey, which is projected against the publisher to identify the alignment of publishers with end business objectives. E.g., What is the ROI for X publisher vs. Y publisher? But the question is: How is the ROI being calculated? And is it sacrosanct? Can it be manipulated? Our research shows it can!!

Attribution platform events can be faked and triggered without actual activities happening on the app. Fundamental is that android is an open OS, and getting root access to change and modify anything is not very complicated. This includes events. The events faked will show up on attribution platforms against the publisher, and the advertiser will get an image of excellent traffic and all KPIs being met. But when the actual so-called ‘sales’ or ‘registrations’ are tracked at the back-end systems of the apps, there will be nothing present! This gets further complicated by silos between marketing and product teams, whereby access to data across teams is restricted.

So, if your only protection against AdFraud is the KPIs tracked on the attribution platform, you may be in trouble.

Here is a step-by-step guide of what we did :

1. Take an app that is pushing CPR/CPS/KPIs linked campaigns.
2. Decompile the app using standard android decompiles. Find the event’s structure implemented (while tools like prograde make the code unreadable and obfuscated, can understand most of it, simply because attribution platform events are standard and their documentation readily available)
3. Install the app on the phone. Link the network to a proxy analyzer (like Burp Suite etc.). Implement a custom root certificate on the phone, which allows a simple man-in-the-middle attack. This will allow you to read HTTPS communication also. Open the app, and carry out the transaction. You will see the events being fired from the app on the proxy analyzer.
4. You can now read the events being fired. Reverse engineering the event allows you to construct the event’s structure easily. Some attribution platforms implement basic SHA1 encoding on specific timestamps and other data fields, which can be undone once you know the code from step # 2. Remember that you need to do this for an attribution platform only once since the structure of events will mostly remain the same.
5. Now you have an engagement engine in your hands! Link it to a simulated install engine. So you can carry out a sequence of simulated installs and events!!
6. Install the app on a simulated phone (e.g., blue stacks) to fake the event. Remove the app. Modify the device IDs. Repeat. And Repeat.
7. Your engagement KPIs will be 100%. The advertiser will be delighted!

The Problem is in the Approach!!

The basic approach to advertising in this scenario is wrong. You cannot allow fraudsters to reach your systems and try to manipulate them. You cannot expect the end goal of KPIs to protect you against fraud (to clarify, KPIs to track publishers is still a great idea, but thinking that it also protects you from fraud is incorrect). There must be a multi-layered fraud protection system in place; otherwise, you are at the mercy of fraudsters continuously trying to hack your systems and find a loophole.

With due regard to attribution platforms, any and every system globally is susceptible. And no system is fool-proof. When a fraudster understands that the only thing stopping him from earning money is some events being tracked on a platform, he will find a way to hack it.

Advice: Invest in the Security Guard!!

The bank (in our leader story) decided to have security guards at the building so that only controlled people could enter the bank and reach the vault. This substantially reduces fraudsters’ access and the opportunity to try their tricks to hack the system. Also, if they still hack it, they leave identifiers (e.g., register entries at the bank, etc.) behind, resulting in them being caught. It does not matter if the vault is heavily protected and has the best security in place.

Advertisers need to do the same. Everyone needs essential protection against fraud. Even if your end goal is KPI-linked, that cannot be the protection. Fraudsters will find a way around your goals and KPIs. You need access control and a gating process to control fraudulent transactions, even if they result in user acquisition or sales for you!! Is the security guard going to eliminate fraud? No. But will he make it more complicated for a fraudster? Yes! The solution is to raise the cost of doing fraud by a fraudster, where it does not become economically viable. And that’s what is essential.

And remember, like in the case of the vault, even if we assume that the event tracking protection by attribution platforms is excellent and world-class, you still need a security guard to ring-fence it.

mFilterIt is an AdFraud detection tool specially created for mobile app marketing. This tool is designed specially to handle 360 degrees of frauds for mobile app marketing: click, device, and the user providing a complete solution to app developers to safeguard themselves. It provides the basic level of fraud protection that every advertiser requires.

PS: Interested in a deeper study?? Saw an interesting whitepaper on similar lines:

“What You See Isn’t Always What You Get: A Measurement Study of Usage Fraud on Android Apps” by Wei Liu and others, presented at SPSM’16 – 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. A must-read, though it is focused on user engagement rather than advertising.