A type of fraud spreading through the mobile universe could cost advertisers more than US$1 billion globally this year, according to a July 2015 study released by Forensiq.
The fraud, called “mobile device hijacking,” uses installed apps to rapidly load ads that no one sees — but the fraudsters collect money for the ads as if they had been viewed.
“Mobile advertisers are losing 13 percent of their ad spend to mobile device hijacking,” the report estimates.
Using its fraud detection platform, Forensiq identified more than 5,000 apps — both Android and iOS — that committed ad fraud. Over a 10-day period, the company found 12 million unique devices running at least one of the 5,000 apps.
“These hijacked devices represent about 1 percent of the mobile devices observed in the U.S. and 2 to 3 percent of devices observed in Europe and Asia,” the report notes.
Apps committing fraud either contain malicious code or pick it up while on a phone, explained Forensiq CTO Matt Vella.
“It can saturate the bandwidth used by a phone,” he told the E-Commerce Times. “It can eat up your data plan, drain your battery — and of course, the cost to advertisers is quite high.”
The bad apps can serve ads at a rate as high as 20 per minute, according to the Forensiq study. That contrasts with a legitimate app that refreshes ads once every 30 to 120 seconds.
Malicious apps serve an estimated 700 adds per hour, the report notes.
Most of those ads aren’t seen by a user, although advertisers are paying for them.
“Hidden placeholders are placed in the application in which they can load many ads as quickly as possible, because the mobile phone owner will not see the ads,” explained Bogdan Botezatu, senior e-threat analyst with Bitdefender.
Those unseen ads are money in the fraudster’s pocket.
“When they sign up as an advertising affiliate, they receive a fee for every ad displayed inside the application,” Botezatu told the E-Commerce Times. “So it’s easy to understand why they want as many ads as possible inside that placeholder.”
Not everyone agrees on the magnitude of advertising fraud in the mobile market.
“Mobile isn’t as productive for ad fraudsters, because they have to spread ads at tremendous scale,” said Michael Bentley, head of research and response at Lookout.
“Right now, they can make money more quickly with more direct methods on mobile,” he told the E-Commerce Times. Among those other methods are embedded links to porn sites and ransomware.
While strides have been made in the effort to detect online advertising fraud, detecting mobile fraud is much more difficult.
“There are hundreds of thousands, if not millions, of mobile app developers,” explained Amin Bandeali, CTO of Pixalate, “and many of these apps are coming up and going away in a matter weeks.”
Each app store has its own way of doing business, and there’s no way to store cookies on mobile devices.
“So the technology that’s been built for online advertising doesn’t work for mobile,” Bandeali told the E-Commerce Times.
Consumers who want to protect themselves from hijacking apps can do a number of things.
“Make sure the app has a good reputation,” recommended RiskIQ CEO Elias Manousos.
“You should also make sure you’re downloading an app that’s not a copy or knockoff of what you want,” he told the E-Commerce Times.
It’s important to monitor your battery life and data usage closely, suggested Domingo Guerra, president of Appthority.
“Reading reviews is important as well,” he told the E-Commerce Times. “We see that users will complain about battery and data usage.”
There are some things advertisers can do to protect themselves from in-app fraud. Careful vetting of affilate partners is a good place to start. Also, there are services available that use behaviorial analysis of data to identify fraudsters.
However, both consumers and advertisers would benefit from the app stores themselves improving their detection of malicious apps.
Companies that operate app stores — including Google, Apple and Microsoft — “need to step up their due diligence of new apps coming in,” Bandeali said.
Several malicioius apps identified by Forensiq have been suspended from Google Play, according to Google spokesperson Joshua Cruz.
“Unfortunately, we can’t provide additional comment on these specific apps, but we can confirm that our policies are designed to provide a great experience for users and developers,” he told the E-Commerce Times. “That’s why we remove apps from Google Play that violate those policies.”
A Microsoft spokesperson was not immediately available to comment for this story. Apple did not respond to our request for comment.