Let’s start this topic with a question from a different universe!
Imagine you own a bank and have a vault where lots of money is stored. It has the world’s best security systems safeguarding it. All the tools we see in latest spy movies are implemented – Cameras, thermal visions, laser beams, explosion protection, retina eye scanners and fingerprint scanners. All state of the art and best of the breed.
Now, your security advisor comes to you and asks whether we should guard the building where the vault is located with basic security guards and an entry register. A basic access control. Should we spend money on security guards when we have such excellent protection on the vault? Or should we allow anyone and everyone to come to the vault and try their best to steal from it (under the hope that they will not hack the top-class vault security)?
What will be your answer??
Performance KPIs based campaigns do not offer fraud protection…
Many advertisers moved to KPIs and goals based campaigns to better align their spends with their revenue. Eg. CPR (Pay per Registration), 30% installs should lead to registrations or 20% installs should lead to wallet topups etc.
The aim : Aligning the advertising costs with the business objectives. If an affiliate is giving users who carry out transactions, then it is worth the expense.
But, very quickly, for many advertisers, it has also become their line of defence against fraud. Hey.. its simple. If a publisher is acquiring a user who generates business for me, and that’s when I pay the publisher, why should I bother on fraud? Let there be fraud. As long as I pay for actual business transaction, I dont need to think about fraud. That is an incorrect approach to fraud, and the topic for this research
Most advertisers depend on attribution platforms to measure and track publisher’s performance and use it to enable/disable publishers which are working and those which are not. Attribution platforms keep track of ‘events’ which the app raises at certain points of the user journey, which is projected against the publisher to identify the alignment of publishers with end business objectives. eg. What is the ROI for x publisher vs y publisher. But the question is : How is the ROI being calculated? And is it sacrosanct? Can it be manipulated? Our research shows it is can!!
Attribution platforms events can be faked and triggered without actual activities happening on the app. Fundamental to this, is that android is an open OS, and getting root access to change and modify anything is not very complicated. This includes events. The events faked will show up on attribution platforms against the publisher and the advertiser will get a image of excellent traffic and all KPIs being met. But when the actual so-called ‘sales’ or ‘registrations’ are tracked at the back-end systems of the apps, there will be nothing present! This gets further complicated by silos between marketing teams and product teams, whereby access of data across teams is restricted.
So, if your only protection to AdFraud is the KPIs tracked on the attribution platform, you may be in trouble.
Here is a step-by-step guide of what we did :
- Take an app which is pushing CPR/CPS/KPIs linked campaigns.
- Decompile the app using standard android decompilers. Find the events structure implemented (while tools like prograurd make the code unreadable and obfuscated, most of it can be understood, simply because attribution platform events are standard and their documentation easily available)
- Install the app on a phone. Link the network to a proxy analyser (like Burp Suite etc). Implement a custom root certificate on the phone, which allows a simple man-in-the-middle attack. This will allow you to read HTTPS communication also. Open the app, and carry out the transaction. You will see the events being fired from the app on the proxy analyser
- You can now read the events being fired. Reverse engineering the event allows you to construct the structure of the event easily. Some attribution platforms implement basic SHA1 encoding on certain timestamp and other data fields, which can be undone once you know the code from Step # 2. Remember that you need to do this for a attribution platform only once, since the structure of events will mostly remain same.
- Now you have an engagement engine in your hands! Link it to an simulated install engine. So you can carry out a sequence of simulated installs as well as events!!
- Install the app on a simulated phone (eg bluestacks), fake the event. Remove the app. Modify the deviceIDs. Repeat. And Repeat.
- Your engagement KPIs will be : 100%. The advertiser will be delighted!
The problem is in the Approach!!
The basic approach to advertising in this scenario is wrong. You cannot allow fraudsters to reach your systems and try to manipulate it. You cannot expect the end-goal of KPIs to protect you against fraud (to clarify, KPIs to track publishers is still a great idea, but thinking that it also protects you from fraud is incorrect). There has to be a multi-layered fraud protection system in place, otherwise you are at mercy of fraudsters continuously trying to hack your systems and maybe finding a loop-hole.
With due regards to attribution platforms, any and every system in the world is susceptible. And there is no system which is fool-proof. When a fraudster understands that the only thing which is stopping him from earning money is some events being tracked on a platform, he will find a way to hack it.
Advise : Invest in the Security Guard!!
Obviously, the bank (in our leader story) decided to have security guards at the building, so that only controlled people can enter the bank and reach the vault. This substantially reduces fraudsters access and the opportunity to try their tricks to hack the system. Also, if they still hack it, they leave identifiers (e.g register entries at the bank etc) behind which will result in them being caught. It does not matter if the vault in itself is heavily protected and has the best security in place.
Advertisers need to do the same. Everyone needs basic protection against fraud. Even if your end-goal is KPI linked, that cannot be the protection. Fraudsters will find a way around your goals and KPIs. You need an access-control and a gating process to control fraud transactions, even if they result in user-acquisition or sales for you!! Is the security guard going to eliminate fraud? No. But will he make it more complicated for a fraudster? Yes! The solution is to raise the cost of doing fraud by a fraudster, where it does not become economically viable. And that’s what is important.
And remember, like in the case of the vault, even if we assume that the event tracking protection by attribution platforms is excellent and world-class, you still need a security guard to ring-fence it.
mFilterIt is a AdFraud detection tool specially created for mobile app marketing. This tool is designed specially to handle 360 degree of frauds for a mobile app marketing: click, device and the user, providing a complete solution to app developers to safeguard themselves. It provides the basic level of fraud protection which every advertiser requires.
PS : Interested in a deeper study?? Saw an interesting whitepaper on similar lines: “What You See Isn’t Always What You Get: A Measurement Study of Usage Fraud on Android Apps” by Wei Liu and others, presented at SPSM’16 – 6th Workshop on Security and Privacy in Smartphones and Mobile Devices. A must read, though it is focussed on user engagement rather than advertising.