From SDK spoofing to click injection, ad fraud plagues nearly every app marketer—and according to data from third party fraud prevention platform, Interceptd, that’s especially true on Android devices where fraud exposure is 27.3% versus iOS’ 22.1%. Our host Peggy Anne Salz catches up with Faheem Saiyad, Business Development Manager, Interceptd, to talk about what it’s like to be one of the only pure-play fraud prevention vendors on the market, and what the company’s latest report tells us about the state of ad fraud and how app developers can prevent it. They also chat about which app categories see relatively clean traffic, and which need to be especially wary of fraudsters.
And one aspect of the mobile business that you’re in, if you’re an app developer, an app company, mobile marketer or just a company with an app is looking at mobile ad fraud. It is massive today and rapidly growing – Appsflyer, for example, estimates that in the first half of 2019 alone, mobile ad fraud cost marketers over $2.3 billion, that’s nearly 1 in 4 paid installs were fraudulent. I’m looking at other data, you know, anywhere between $6.5 billion to $19 billion – that’s quite a range. As usual the truth is probably somewhere in the middle but we are going to talk about, you know, not just the problem of ad fraud, it’s great to be aware and to be frightened, but it’s better to be proactive and resolved to do something about it and that’s what we’re going to be talking about, you know, what is going on out there, what can you do.
And my guest today is Faheem Saiyad, he is Business Development Manager at Interceptd. First of all, Faheem, thanks for joining me on Mobile Presence today.
A pleasure to be here Peggy, a pleasure to be here. How are you today?
I’m doing well, I’m looking at these – I mean, I’m not an app developer so I’m not going to be concerned but I mean I am looking at your latest mobile ad fraud report, we’re going to be talking about that, Q1 report. But first of all, Interceptd, because it’s a little bit different – we’ve had companies on the show in the past talking about ad fraud but they were attribution companies, seeing like tons of data and saying, Okay, this is fraudulent, this isn’t. Interceptd, different type of company – just let me understand a little bit about where you fit in.
Exactly. So, Interceptd is a third party fraud prevention platform. What I mean by third party is we don’t deal with the attribution business. If you go out in the market, you will see there’s quite a debate on why an MMP or an attribution provider should not deal with fraud. The reason being their core business is attributing installs, so when they start to detect fraud, they kind of have the incentive to not prevent as much fraud as they can because the more fraud they prevent, the less attribution they can do on the attribution side. So, it’s kind of this is why marketeers these days, they are not very well comfortable with the protection tools offered by the attribution tool because there are a lot of false positive ad incentives and this is where the third party attribution companies, independent audit companies, we call ourselves, come into play.
And I watch the industry, I was just at, you know, an event in Berlin, fantastic – Mobile Growth Summit event where your CEO, I believe, your CEO and founder spoke among others. How long have you been in the industry because I think you’ve been there, but I maybe just missed you a little under the radar but of course this is a perfect time for Interceptd, I think, right?
Yes, exactly. So Interceptd as a product, it went live in the quarter 4 of 2018...
But 2019 we were picking up customers and onboarding new clients. In terms of development, Interceptd has been under development for the past two and a half years, since our – the person speaking at the conference was our CTO...
...and he brings with him experience from the mobile tech industry and he is one of the key brains behind Interceptd.
Yes, I have that feeling - he definitely knew his stuff and you’re going to share some of that here as well. Just want to get a full understanding because again, you know, our audience is practitioners, they’re app marketers, many app companies, developers. Now, I know how you sort of do this when it’s on the attribution platform and I do fully understand, the question is how much do you really want to attribute to fraud when that might be eating away at your business – so you have to have a sort of medium there. Is this the thing where again I’ve got an SDK and I’m measuring this in my app or how am I actually interacting with Interceptd, just to be very, very clear about that?
Exactly. So Interceptd, since it’s a real-time fraud prevention tool, it sits in the redirection path meaning all the traffic, all the clicks coming from the third party ad networks affiliates and agencies, between them and the attribution tool before there was nothing, just a plain path, a plain redirection path. Interceptd sits in between the path to make sure that all the clicks are passing through Interceptd and once all those clicks have been assured by Interceptd’s 15 fraud algorithm alarms, only then they make it to the attribution tool. So the business model here is to get in the direction path before an install is attributed so that the marketeers can save their money in real-time.
Let’s say if a click has come from a fake host or a VPN or a bot, interceptd will block this click meaning this click never makes it to the attribution tool to get attributed so the marketeer also saves money on the attribution side since they don’t have to pay for the attribution of a fraud install. So that’s an added value that Interceptd forwards to the marketers.
Okay, so I get it, so that whole argument we have, and we’ve got tons of articles and research about how do you get your money back, what’s the argument, how do you even write the email that says, “Hey, I’m not paying for this” – that’s not an issue here at all because I haven’t paid for it at all, correct?
Exactly. So since it’s in real-time, you don’t have to worry about paying for the post but of course there are some fraud types which are post-install fraud types which can only be detected after an attribution, so those fraud types as well, Interceptd has detailed reports and graphs which makes it easy for a marketeer to claim back the amount from a publisher but in the real-time feature, they don’t need to worry about losing money there.
Okay, and you touched upon the word “report” which is exactly me, a little bit of a data geek here. I’m excited when I see new numbers. And you’ve got a report, we’ll talk about it right now, just at a high level – it’s interesting about – I think everybody knows that but you’ve actually stated it, you know – ad fraud levels in Android apps, that is quite off the charts. Do you want to tell me if this was a surprising finding or precisely what we were expecting?
It was not very surprising to be honest, everybody knows Android is more of an open source software, it’s more user-friendly, it’s more developer-friendly so Android always had the tendency to be exploited more. On the one hand, it does help developers to explore more opportunities and explore more options but at the same time it makes it easier for the fraudsters to kind of mess around with the apps, mess around with the user data while in terms of the iOS, it’s much better protected, not completely but still better protected compared to the Android apps.
I mean, we did know that but I have to say the numbers, you know, quite exciting here. Certain levels of fraud, looking at this and listeners I’ll have this also in the show notes but you know fraud levels by app category – I’m just looking at Android, we’ll talk about iOS later, but you know clean traffic seems to be the rule in sort of news, productivity, lifestyle and then it’s to get a little iffy in shopping, games and finance. How did you determine this?
So, to carry out the study, to carry out the study, Interceptd analysed over 12,000 different apps both on the App Store and the Play Store. The dates we took into consideration was the first quarter starting from 1st January all the way until 31st March 2019 and all 41 million installs were analysed and detected and all those fraud footprints were kind of analysed to make sure that what is the most – what is the most dangerous type of fraud which is harming the marketeers and during this, we found out that Android is actually much more susceptible to the fraud compared to iOS.
There is a fraud type called click injection which is specifically only for Android – the click injection fraud cannot be done, cannot be manipulated on an iOS device, the reason being every time a new app is downloaded on an Android device, say I have an Android device and I'm downloading a new app from the store, all the present apps in my phone get a broadcast signal that a new app is coming into the phone. So, all those apps, if one of those apps is a fraudulent app, could be a calculator app, could be a flashlight app, could be a dummy app – if it is a fraudster, they pick up these signals, they pick up these broadcast messages sent out by my device and that’s what they need – they send their clicks, click injection works by the pattern that once the app receives a command that a new app is coming in, they randomly send clicks from my device without my knowledge with the hopes that the install is attributed to them.
So although I might have downloaded that app organically by seeing it, say, on Facebook or on a street or just word of mouth, but since that fraudster was successful in matching the click time, that install gets attributed to him and in turn the advertiser pays to that publishers for an install that could have been free for them.
You’ve got a number of fraud types in your report but let’s just stay with click injection for just a moment. I mean, that sounds like one that first of all doesn’t need too much technology to perform, in other words, fraudsters don’t have to have – I mean, sounds like they can almost do it like from a Macbook – not a Macbook, a laptop on the street, it doesn’t sound like it needs a lot because the apps are already there getting the signal – do I get the feeling that this is the most prevalent or the most, yeah, the most perhaps dominant or dangerous of the fraud types?
This is not the most dangerous but the most simplest form of fraud.
I was going to say the simplest.
Exactly. As you mentioned, not everybody can commit, for example, SDK spoofing – we’ll talk about it but not everybody can commit SDK spoofing but if it’s a click spam or a click injection, since it’s much more easier to do because all the fraudster needed to do was somehow get his app installed on your phone while that app might be serving useful purposes like a calculator, but in the background the real intention was to steal your data and generate clicks in your name in your device early to get install – attributions to the installs which do not belong to you.
And that’s exactly what happens there and as you pointed out, it’s the simplest, maybe not the most dangerous but certainly because it’s simple, sometimes the simplest things are hardest to detect or hardest to stop because it becomes part of the fabric of how apps are downloaded and interacted with on an Android device. So, we’re back to those strange suspicious flashlights apps that we started out with. I’ve been saying so much reporting about certain apps, utility apps, these apps – they get pulled, I think it was an Oracle report – so I mean it is the one to watch. We do have to go to a break but listeners, as you can see, this is going to be a very interesting and informative, not very frightening but definitely very positive discussion about fraud types, what they are, what you need to know, what you need to watch – all of this from Interceptd so don’t go away, we’ll be right back.
And we are back to Mobile Presence. I’m your host, Peggy Anne Salz and we have Faheem Saiyad, Business Development Manager at Interceptd. And Faheem, we’re having a – I’d say a good time here riffing off of your report. I like the analysis of it, it’s very clean, it’s very straightforward and you’ve also got a straightforward way of explaining these very complex types of ad fraud, so I will let you continue where we left off. We talked about click injection, really simple but nonetheless one that is syphoning off cache and at least data and data is money. What’s another one that you’re seeing? I mean, I’m seeing click spamming here, a little bit more than click injection, click injection 10% of fraud type, click spamming 13%, SDK spoofing really hard one as well and very difficult. What about click spamming, we’ll start with that.
Right, so click spamming is kind of like a related cousin to click injection, they both kind of fall in the – not the deadliest but the most easiest to perform. They both perform similar tasks, click spamming also is aimed at stealing the organic attribution same as click injection, the sole purpose here was to steal the organic install, nothing else.
So how click spamming is done is if a network is capable of click spamming, they simulate fake clicks from real devices. So, imagine your phone is running with an app in the background, say the calculator app is running in the background. So, without your knowledge, at random intervals, random clicks will be sent – whether there’s an install taking place or not, say 30-40,000 clicks are randomised from your phone with the hope that at least one of them somehow matches a click which is the real click and an app is downloaded, so that download is attributed to the publisher.
It kind of works in the same function as click injection except click spamming is more random, it’s just like a hit and miss – you send out 40,000 clicks, 50,000 clicks with the hopes that at least one of them somehow by chance should get attributed.
And what’s the damage actually then? I’m a mobile marketer, I’m just playing this as a layman because a lot of people – that’s what I liked about actually Interceptd’s presentation at the event where I was – it was just like this is 101 and the reason it’s 101 is because a lot of people are just getting their head around it, you know, they’ve come into mobile app marketing from other types of digital marketing or they’re looking at fraud because I’m looking at reports that say, you know, many UA people, they’re just so focused on performance that they’re saying, “Okay, I can buy into a certain amount of fraud, I just have to live with it.” Now they’re understanding it is actually stealing money and costing them much more because they’ve dirty data at the end of the day as well. So, what precisely is the danger to an app marketer, when they say, “Oh well, I can live with it.” Can they live with it?
To be honest, no, I mean – if you know that there’s a problem with the channel, if you know that you are paying for an organic user, that doesn’t actually make sense. If you say you are an experienced marketer, but you are like, “I am okay with paying for an organic install” it doesn’t make sense, you know? And this is where there is a misconception in the industry going on that, “Hey, I just ran a cost per action campaign, I don't pay for installs, I just pay for actions so I’m not concerned about the frauds happening at install level”. But this is where there’s the misconception because if that install which was coming organically to you, if it has been attributed to a certain publisher, any even generated would also be attributed to that publisher meaning even if you’re running a CPA campaign, you are not immune to fraud, right? You might be like, “Hey, that publisher is getting me 10 purchase events per day”, increase his bid, you know, let’s spend more on him.
So basically you are taking a fraudster, paying him more money and return what he’s doing you, he’s just silver wrapping your organic users to you and making you pay for it. So that’s the damage there. I mean, the installs which are supposed to be free for you, you are being manipulated into paying for them. And that takes a big hit on the budget if you see it on a monthly note.
I love the way you’re just getting to the point here because I haven’t heard it explained that simply yet. Let’s see how you do on SDK spoofing, that’s one that even I myself in the industry, I’m still trying to figure out, okay, what is it and how is it done?
Let’s see if you can make – it’s almost like a test now, a quiz – can we make this understandable for the layman? Let’s try.
Right, so let me try my best. So, SDK spoofing as Peggy mentioned, it has been one of the most common frauds in the industry. If you just look back at the quarter 4 of 2018, the SDK spoofing cases were at 14%. That’s the quarter 4. Moving on to quarter 1, just in a matter of three months, the figure raised from 14% to 17% so this actually shows that the fraudsters are kind of getting the hang of it. If I do SDK spoofing, if I get the hang of it, the amount of money I can liquidate is much higher. So this is what is done in SDK spoofing.
So what exactly is SDK spoofing? So, although it’s not like an attribution fraud, it is manipulation of the attribution tool meaning that all the installs which you see on your dashboard or on the MMP or on your CRM is something that the attribution tool, the MMP shows to you – that hey, you have an install, hey, you have a click, hey, you have a purchase. So you solely rely on the data shown by the attribution company.
But what happens if the SDK of that attribution company has been hacked? What happens if that SDK is being manipulated into thinking that an install is taking place, an event is taking place but in reality if you check your CRM tool, if you check your audit monthly reports, you will see that, hey, that purchase never came. Hey, the financials are not matching, the attribution company said that I should have, say, 100 purchases amounting to X, Y, Z, but on the CRM tool you see like 30 purchases. So this difference, this 60 were basically spoofed events.
What it means is that the attribution mechanism was hacked into thinking by the fraudster every time they sent out a click, every time they sent out a command, the attribution tool was counting it as an install, as an event and somehow making you pay for it because you have to pay to the attribution company as well, you have to pay for the source as well. You’d be like, “Hey, this source got me so many good purchases, let’s pay him more”. So you pay to the fraudster or whatever, you pay to the attribution company and at end of the month when you check your reports, you are in a total loss because of all the payments you made and really you didn’t generate anything.
So that’s kind of SDK spoofing – manipulating the attribution tool into showing data that never exists. Was that explainable to the audience?
That was, I think we get it, I think what also is interesting is in that 4% in one quarter, is that something that you find normal given what we’re seeing out there or is that a source of alarm? Is this the one that marketers need to watch because we’ve got several different types of fraud, we didn’t go through all of them, I don’t think we’ll even have time – there’s bot fraud, there’s incentivised, incentabuse as you’re calling it, then there’s the device fraud as we’ve seen where people are just like sitting offshore, clicking away. Is this the one?
SDK spoofing definitely is one of the most spurious fraud types because there is no certain proven way to detect SDK spoofing. While there are parties that claim to try and do tricks, Interceptd as well has its own algorithms to detect SDK spoofing and has been successful at it but there is no certain way – you can mix and match certain data points and we have certain tips which we give to marketers to see if they are being SDK spoofed or not because without paying key attention, key detail, it’s not normal for a new marketer, for example, to just detect SDK spoofing – they could just go away with that, “Hey, it could be a number discrepancy, it could be an SDK degration discrepancy, you know – it’s not a big deal” but as you start to deep dive into reports, you start seeing that none of it exists, it’s like a mirage, you know?
You see there’s something there, you see there’s something there but when you go to that place, it’s just a mirage. So that is one of the reasons SDK spoofing and since the fraudsters know that it is complicated to detect it, since it doesn’t leave exact fraud footprints like a click spamming or a click injection or a bot, they leave really certain footprints, but this SDK spoofing doesn’t have a certain footprint so the fraudsters know that as the marketers, as the industries are all inter-detecting more and more fraud, they need to improvise, they need to build up their arsenal and this is why I think SDK spoofing has seen a big toll, has taken a turn as fraudsters are now interested in learning how to do that hack, do that tactic and in return can continue burning bigger budgets of the advertisers.
That’s the point, isn’t it, it’s the budgets – this is something where you think, you can’t prove it – I would imagine just in a nutshell but it’s difficult to sort of say “This happened”, because it’s like everything – when something is supposed to be not working and then you bring in someone to repair it or when I’m calling my IT guy, that’s always the moment that all of a sudden everything is great, he remotes in and says, “I don’t see a problem here” because there is no real way to put your finger on it so there’s no real way to argue the point, I would imagine.
Exactly, exactly. And since we are on the topic for the marketers out there, I would just like to give you two or three tricks which you could use to better protect SDK spoofing...
Actually, that’s what I love, we’re going to give them a little bit of a cliffhanger. You are going to give them tricks, okay, but we’re going to do that right after the break, Faheem, so people do have to stay there. So, friends, you have to stay exactly where you are because when we come back, we’re going to have those tips and tricks, this trickiest type of fraud out there in the report that you’ve done but also out there and what you’re facing as marketers. So don’t go away, we’ll be right back.
Hey, we are back to Mobile Presence. I’m Peggy Anne Salz. We have Faheem Saiyad, Business Development Manager at Interceptd. Faheem, I’ve been enjoying this because if there’s something I like, it’s things that are straightforward, easy to understand, to the point and we’re going to get to the point now about SDK spoofing, we’ve talked about the danger, we’ve talked about how tricky it is, you’re imagining something, the data doesn’t seem quite right and that’s a sign that something isn’t quite right but what can marketers do about it?
Right, so just kicking back on the summary – SDK spoofing was basically utilising real devices to spoof an attribution tool. How this can be analysed, as I mentioned, there’s no certain proven way to detect SDK spoofing but what can be done is the data which is on the – the data which the marketer receives, they need to look at it from a multi-dimension angle meaning what they see on the attribution tool should not be the only source they rely on. Along with the attribution tool, they need to look at the CRM dashboard, they need to see what kind of engagements were on the attribution tool but are missing from the CRM tool.
They also need to check what kind of – if it was an e-commerce platform, say - they need to see that what kind of revenue data they saw on the attribution tool but when the monthly financials came out, that data was missing. So this is something that you need to do and see it from a third 3-dimension to be very honest and kind of try to pin your finger at where the discrepancy is coming from.
Other than that, if you would deep dive on the install reports, the attribution tool has an SDK version, your app has a version of its own so you need to make sure that the SDK version is the latest. Often you would see in cases like SDK spoofing that the installs are coming from an older SDK version or from an older app version. This means that the SDK spoofer might have hacked the previous SDK version and he or she is sending installs from this SDK version but since the attribution company frequently requires to update your SDK, you will easily understand that hey, a previous SDK means that’s a fake install that has been spoofed.
And the third trick I would like to give out is one of the most easiest – that there will be significant, I repeat, there will be a significant gap between the store numbers and the attribution tool numbers. If you see 100 installs on the attribution tool but on your Google Play or App Store you see 60 installs, that’s a discrepancy of 40 installs right there, so that should be like the biggest alarm, “Hey, something’s wrong” and then you deep dive into the data and the reports as I mentioned in the previous comments.
You have to know the benchmarks, you have to understand this and you have to be looking at the data, comparing it all the time, as you said, CRM data, you know, what you’re seeing in your revenue, if you’ve got a commerce app... there’s another type of fraud that we haven’t talked about but is rising up the ranks because we’re hearing more and more about it – I recently wrote an article actually at Forbes about it because it was becoming so interesting, it had wrecked a number of games, it had also wrecked a number of sort of like limited item websites where it’s like you get this, there’s only a hundred of them and then the bots came in and bought them all. It’s these programs programmed to look like us but aren’t. Are there any sure signs of humanness that you can find that you can say this is bot fraud, this isn’t?
Right, so as you mentioned, bots are basically, they rely on several virtualisation meaning all the bots, they are scripted to look and act like humans. So on an upper level, it’s like basically The Sims. Do you program your own Sims guy, you let him know what his name is, you let him know his story, his device ID etc. So that’s exactly how the emulators and the bots work. They write the whole script on how a bot or emulator will look or how it is supposed to act like a user. Based on that, the emulator device is making an install, as Peggy mentioned, they are capable of – if it’s an e-commerce app, they will go on actual wishlist, they might add products to the basket – so the moment the bot starts to do this, it becomes unavailable for the real user and this could hurt the revenue pretty bad because the bot will never be actually purchasing the device, the entity but a real human could have purchased the entity.
Especially in games, bots – I mean, even big platforms like Budgie, Fortnite, they have also made complaints that on their online servers, since they are paid competitions, bots kind of enter the game and they ruin the whole user experience, you know? You can’t defeat them, they always have an upper hand on you. So this also has a bad effect on your brand since you could easily lose loyal users if they have a bad experience on your game. So this is why bots kind of hurt both your budgets and also your brand image.
How these can be detected is again since these are virtual devices, there is only a certain amount of fakeness, a certain amount of human touch they can add to it and it one point it starts to repeat itself, you know, that the blueprint of it starts to repeat itself and it starts to leave a certain pattern behind. So this is where it’s kind of difficult for a normal marketer to do it but a platform like, say, Interceptd which has access to third party data which has access to a pool of IP addresses is capable of analysing these IP addresses since the IP addresses of the emulators and the bots will come from a restricted tool of IPs only, you know? It won’t be like a random. For the IPs, if the IPs are random, it means it’s genuine public.
For example, if the user is on WiFi, the IP will follow a similar pattern but for bots and emulators, the biggest footprint they leave is a bad IP behind them. When you trace back that IP, you will notice that it’s coming from an identity masking server, could be a proxy, could be a VPN, so basically that’s what is flagged on the intercepted as anonymous IP. If the IP is not traceable, it definitely has come from a bot or from an emulator.
I can see there’s a lot that people can learn from you and learn from your website because it is a topic where you have that feeling there should be some sort of certification program for this, just understanding the types of fraud and what to do. Maybe I’ve given you an idea, who knows, at Interceptd to do that. In the meantime, if someone does have a question about this or wants to catch up with you, Faheem, what would the best way be? Would that be LinkedIn, would that be straight email?
Definitely, I mean, I’m available on my LinkedIn and my email as well – any questions are more than welcome and it will be much more clear once, you know, they see something as you have seen the report so going through a report, seeing the visual, seeing the numbers, is always a good way to kind of start learning about any topics so that then you know the severity of the issue at hand and the damage it might cause to you investment budget.
Okay. Well, great having you on the show, Faheem, and maybe we will have you back again. And listeners, friends, great that you’ve been here for Mobile Presence and listened in. There’s lots to learn as we said over at Interceptd and I will share that link to that report with you.
And in the meantime, you can check out this and all earlier episodes of our show by going to webmasterradio.fm or you can find our shows on iTunes, Stitcher, Spreaker, Spotify and iheartRadio – find them there, just search under Mobile Presence. So until next time – remember - every minute is mobile, so make every minute count. We’ll see you soon.