When is an install not really an install? When a fraudster tricks an attribution partner into tracking an install that has not taken place on a real device, attributing it to a paid source.
Fraudsters use device emulation software in virtualized environments (on server hardware) to fake installs in an effort to claim advertising revenue to great effect. Fake installs defraud everyone along the advertising chain - taking money away from advertisers, publishers and networks. On a traffic flow sample of over 400M installs over 17 days, we estimated that $1.7M1 worth of installs were being paid to fraudsters faking installs.
How Fraudsters Take Advantage of Data Centers
Fraudsters use commonly available device emulations software to affect data centers, programming scripts that make the emulator create a new random device with a fresh Device ID.
On that device, they then create a user and have that user engage with adverts. The emulated device will download the target app from an app store (or from local storage to cut down on traffic cost), triggering an install. Finally, the emulated device opens the installed app (to trigger an install event, which is then transmitted to the attribution provider).
Sophisticated fraudsters might even go as far as storing the session for later use, in order to create third or seventh day retention by opening another session at the desired time.
How Fake Installs Impact App Businesses
The principal effect of fake installs on an advertiser is that it introduces fake or misleading data into the marketing funnel. This issue goes beyond the lost spend which affects everyone.
This can cause the advertiser significant problems. Fake installs will, for example, register as users who have immediately gone inactive after they’ve completed the install (or reached the post-install quality goal). If these installs are attributed but not identified as fake installs, then such behavior can begin to damage metrics, such as retention rates. This can then begin to drag down other metrics, such as lifetime value, and cause a rippling effect that damages numbers across the entire funnel. The extraneous installs can also inflate the click-to-install conversion rates, potentially making certain channels appear to deliver more value than they truly do.
This can either lead the advertiser to conclude that channels that include some degree of fraudulent conversions have more positive ROI than other channels where all the users are legitimate. However, marketers could recognize that something strange is happening and instead discard the channel altogether, potentially losing out on the value of the legitimate users from that source.
Solving the Problem
When it comes to a solution, we can rely on one key insight: fraudsters will run these emulators in a data center, and typically they’ll either route the traffic through Tor or a VPN to “place” the conversion in high-value markets.
In most instances, when a user downloads a mobile advert their smartphone’s IP should be drawn from a pool of IPs associated with a carrier (if they’re on mobile data) or with an IP associated with an internet provider (of wifi). So, when a user’s IP is associated with a data center or an identity-masking server, such as a proxy, VPN or Tor, it is likely that there is an attempt to deliberately defraud the campaign.
IPs belonging to this type of locations, known as “anonymous IPs”, can be filtered from attribution to paid sources, preventing them from polluting data sources. This will prevent the majority of fraud associated with simulators before it begins and reduces the impact of one datacenter manipulation tactic significantly.
If you’d like to know more about the sources of mobile ad fraud, click here to be taken to Adjust's ebook download page, and get the full guide for an entire overview of the mobile fraud ecosystem.
1 Adjust's Internal Data