There are 2 main forms of mobile fraud - display ad fraud and install fraud. This deck focuses on the far more lucrative and larger form - mobile display fraud.

1. Mobile Display Fraud
is Rampant Beyond Belief
June 2018
Augustine Fou, PhD.
acfou [at] mktsci.com
212. 203 .7239

2. June 2018 / Page 1marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Mobile is 57% of digital spend
Source: IAB Full-year 2017 Digital Advertising Report

3. June 2018 / Page 2marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
"Fraud in mobile advertising is more tricky than just fake
impressions, clicks, or installs. App advertisers can check
when a user actually takes an action with their app after
install to check legitimacy. The issue becomes which ad-
network supplier gets credit for delivering that install. So
attribution fraud is the major concern: where advertisers
pay ad-networks, based on attribution vendor reporting, for
installs that happened organically or by different marketing
methods." -- Shailin Dhar, Method Media Intelligence

4. June 2018 / Page 3marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Main forms of mobile fraud
Install FraudImpression Fraud
“fake devices installing legit
apps, get paid on CPI”
“fake or fraud apps load
display ads, get paid CPM”
Mobile display spend $25B (2017)
Source: eMarketer, April 2017
App install spend $6B (2017E)
Source: BusinessInsider, June 2016

5. This deck focuses on
mobile display fraud

6. June 2018 / Page 5marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Which is easiest for bad guys?
Fake Apps on
Fake Devices
Adware SDK in
Real Apps
Malware On
Real Devices
Limitation
Wait until unsuspecting
humans accidentally
downloads malware on
real mobile devices
Limitation
Wait until app developers
install SDK into their real
apps and humans to
download and use apps.
Limitation
No limits - apps are easily
cloned, and mobile
emulators are easily
“spun up” in data centers

7. June 2018 / Page 6marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Half of humans download 0 apps/mo

8. June 2018 / Page 7marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Apps’ primary revenue is ads
In-App
Advertising
App Store
Source: SensorTower

9. June 2018 / Page 8marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
75% mobile revenue from games
Source: SensorTower

10. June 2018 / Page 9marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Top mobile apps by ad revenue
Top mobile apps
by ad revenue
Are entirely
different than
ones humans
spend the most
time with

11. June 2018 / Page 10marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Massive, scalable display fraud
“Judy Malware”
• 40 bad apps to load ads
• 36 million fake devices to load
bad apps that load display ads
• e.g. 30 ads per device /minute
• 30 ads per minute = 1 billion
fraud impressions per minute
“Fireball Malware”
• 250 million infected computers
• primary use = traffic for ad fraud
• 4 ads /pageview (2s load time)
• fraudulent impressions at the
rate of 30 billion per minute
Source: Forbes, May 2017 Source: Checkpoint

12. June 2018 / Page 11marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2015) Apps doing ad fraud
Source: BusinessInsider, July 2015
“A user downloads an app
from the official app store
— which may look
legitimate and have
hundreds of positive reviews
— which then runs in the
background, serving
hundreds of ads at a rate as
high as 20 ads per minute”
Known and documented
for years – now mobile is
majority of digital spend

13. June 2018 / Page 12marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
(2017) Handful of bad apps
1 (52% of impressions) 2 (48% of impr)
66% avg fraud
18% avg fraud
1. 9% of the apps caused 52% of impressions; 66% outright fraud
2. Remaining 91% of apps caused 48% of impressions, 18% outright fraud
• 1 billion mobile display impressions
• Nearly 1,000 apps cross referenced with SDK
Source: https://www.slideshare.net/augustinefou/mobile-display-fraud-case-study

14. June 2018 / Page 13marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fraud apps load impressions
Source: ImpScore.io - https://www.youtube.com/watch?v=w-i-ue8fPCc
“fake apps or fraud apps (real apps that misbehave) continuously
load display ad impressions in the background, inflate revenue”

15. June 2018 / Page 14marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
App cloning, free adware SDKs
Apps are cloned
thousands of times;
some didn’t even
bother to change
the colors or cover
graphics.
Bad guys accidentally
cloned apps that
already had detection
SDK in it – from 312, to
750, to 1,330 copies.
Source: CNBC, Aug 2017

16. June 2018 / Page 15marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake apps from real campaigns
com.obpmirzste.ldsjpv
com.zmm.shmxvjxnsagndui
com.nqzwr.leusrmpmsq
com.rced.zcdsglptpdlwpu
com.kerms.ehlsgnc
com.cmia.iabhheltm
com.skggynmtx.tyyjnwpefvqtll
com.kgdtltnuv.hayvfhob
com.ztzsiqg.dyojlxdscxws
com.xlwuqe.ddrdhsuosbn
com.rkrhmzee.wjcoznxu
com.ebhzb.hbzvomzpcctovj
com.dxnxbgj.mkridqxviiqaogw
com.obugniljhe.fptvznqwhmcjm
com.bpo.ksuhpsdkgvbtlsw
com.rlcznwgouw.vvtexstbfttngc
com.kasbgf.sbzwtgpcbjexi
com.bprlgbl.vbze
com.zka.lzhsoueilo
com.alxsavx.mizzucnlb
com.jxknvk.lrwfdfirdzpsw
com.tvwvqbt.wbshaguqy
com.iwnxtpahcu.leyuehdwdbb
com.okf.rhvemtykfibzpxj

17. June 2018 / Page 16marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
“Naked Ad Calls” (load ad, not page)
Why load the entire webpage when you can just
load the ad (save bandwidth) and get paid?
Pass fake data
via query strings

18. June 2018 / Page 17marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Apps load webpages
“fraud apps sell traffic; use hidden webview browser to load pages”

19. June 2018 / Page 18marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake app traffic – real dataRepeatedly load webpages (e.g. galleries) in sequence or random

20. June 2018 / Page 19marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Apps load webpages, disguise
“fraud sites’ traffic from apps that also pass fake HTTP headers”
Source: SimilarWeb

21. June 2018 / Page 20marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake devices (mobile simulators)
Download and Install Apps
Launch and Interact

22. June 2018 / Page 21marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake mobile devices – real data
Repeated hits by same device/browser, same ip address

23. June 2018 / Page 22marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Fake devices pass fake location
Houston, TX Bozeman, MT
Fake devices declare fake locations to absorb higher ad spend

24. June 2018 / Page 23marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
90-99% of geolocation bad or faked
Source: Placed, Sept 2017
Source: SafeGraph

25. June 2018 / Page 24marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Bad guys trick measurement
SDK Spoofing— code in an app that sends simulated ad
clicks and engagement signals to the attribution provider
… [to] fool an advertiser into paying for fraudulent
impressions/views.
Attribution Fraud— code that executes clicks (click
spamming, click injection) so fraudster can claim credit
for downstream conversions.
Detection Tag Blocking— fake or fraudulent apps can
selectively block fraud detection tags or manipulate
analytics data.

26. June 2018 / Page 25marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Mobile fraud is not caught
Source:
https://mumbrella.com.au/iabs-
first-australian-figures-claim-just-4-
of-digital-ads-fraudulent-429776
IAB: mobile fraud is
“almost non-existent”
“it’s NOT
non-existent”

27. June 2018 / Page 26marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Any device with chip/connectivity
Traffic cameras
turned into
botnet (Engadget,
Oct 2015)
mobile devices
webcams
connected
traffic lights
connected cars
thermostat
connected fridge
Security cams
used as 400
Gbps DDoS
botnet (Engadget,
Jun 2016)
…can be used as a bot

28. June 2018 / Page 27marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Economics of botnets explained
Source: MIT Tech Review, May 2018
“distributed denial-of-service
attacks using a network of 30,000
bots can generate around
$26,000 a month. Spam
advertising with 10,000 bots
generates around $300,000 a
month, and bank fraud with
30,000 bots can generate over
$18 million per month. But the
most profitable undertaking is
click fraud, which generates well
over $20 million a month of
profit.”
Botnets can be used
for a variety of things

29. June 2018 / Page 28marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
About the Author
Augustine Fou, PhD.
acfou [@] mktsci.com
212. 203 .7239

30. June 2018 / Page 29marketing.scienceconsulting group, inc.
linkedin.com/in/augustinefou
Dr. Augustine Fou – Independent Ad Fraud Researcher
2013
2014
Published slide decks and posts:
http://www.slideshare.net/augustinefou/presentations
https://www.linkedin.com/today/author/augustinefou
2016
2015
2017