In digital advertising, spoofing is a technique that fraudulently misrepresents an ad from an unknown source as an ad from a source that the advertiser knows and trusts. Spoofing often occurs in channels that lack a high level of security, such as in-app. Here, we take a look at the various ways spoofing occurs via device, app, and location, the ways in which apps are particularly vulnerable, and what you can do about it.
How Spoofing Occurs
Device spoofing: Faking device information in the bid request
If a mobile device is programmed to make artificial, high-frequency ad requests, basic quality control efforts on the brand’s behalf may discover that the same device (or set of devices) accounts for a disproportionate volume of impressions. In response, the brand’s quality control measures would likely add those devices to a blacklist.
So how does a fraudster avoid detection in this situation? They make it seem like there are more devices. Using a technique called device spoofing, a rogue app fakes or misrepresents the device information sent through the bid request. When making a request for ad impressions, apps send a string of information about the device to the demand source. This can be unique identifiers such as a hardware ID (e.g. IMEI) or platform ID (e.g., Android ID), or it can be non-unique identifiers, such as the device’s make, model, internet service provider, or IP address.
Coming from a legitimate app, the device data would be accurate, consistent, and remain stable over time for the same user. Coming from a fraudulent app engaged in device spoofing, the device data will be inaccurate, misrepresented, and possibly change over time for the same user.
App spoofing: Is that my app?
If a brand’s quality control analysis uncovers device irregularities and they all point back to the same mobile app, another easy fix is to blacklist the app itself. So what does a fraudster do if they are trying to avoid having their app blacklisted? They make it seem like it’s not their app.
Using a technique called app spoofing, a rogue app fakes or misrepresents the app information sent through the bid request. In addition to hiding impressions to their own app, fraudsters can also use this tactic to pose as a high-value app and boost CPMs.
Location spoofing: Hiding in plain sight
Similar to devices, when making a request for ad impressions, apps send information about themselves to the demand source. In addition to the app name, publisher, or domain, there is also a unique ID used by each operating system to identify each app: Android uses named “bundles” such as com.example.app, while iOS uses numeric IDs.
In a bid request, a legitimate app will pass its own name and unique app identifier. A fraudulent app, on the other hand, will swap out the app information it sends in order to evade detection.
Another sure tip-off that fraud is occurring is when suspicious location or geographic patterns emerge. It wouldn’t take long for a media buyer to find out that it wasn’t mall-going millennials they were targeting, but a bunch of preprogrammed devices running out of a warehouse in Kyrgyzstan.
Thus, another technique fraudsters use to stay under the radar is location spoofing, in which they intentionally misrepresent the latitude and longitude in the bid string. Doing so not only has the benefit of avoiding detection, but can also be lucrative as well. Whether it’s to target or retarget someone on the basis of their proximity to a certain city, venue, or retail location, advertisers will bid higher prices for users that fit their desired geographic profile.
When otherwise legitimate apps cheat
Today’s self-regulating app ecosystem—with app store certifications, visible download counts, and transparent ratings—leads brands to put a lot of faith in apps that score well on these metrics. Apps that have been approved, installed many times, and given stellar ratings can’t possibly be committing fraud, right?
The truth is that not all apps exhibit the same exact behavior for every single user all the time. To boost revenue, apps can be designed so that only a very small percentage of copies will commit mobile device hijacking, or so that they increase their ad request rate only a very small percentage of the time.
Beyond that, apps can leverage affiliate networks to drive fake installs and reviews for their apps in an attempt to appear more desirable. In some cases the app developers themselves may not know or may turn a blind eye to the fact that the users are fake.
How to protect yourself from spoofing
Spoofing fraudsters, take note: Forensiq uses the latest technology in machine learning to detect and block non-human traffic in real time. We are able to keep your ads safe in-app by identifying fraudulent activity at each moment of the ad delivery process. Here is what Forensiq offers—and what you should look for in fraud protection for in-app delivery:
- Bundle ID Spoofing identifies apps that are misreporting the bundle ID and reveals the underlying apps on which the impressions are generated.
- Velocity Risk detects velocity patterns to identify irregular activity from mobile device IDs and apps, such as anomalously high impressions or prebid requests over various time frames. These patterns indicate that ads are being run in the background or through other automated means.
- Location Spoofing detects apps that are reporting fake location data (latitude, longitude).
- App Store Analysis analyzes data available through the App or Play stores to cross-check fraud findings, such as app permissions.
- Advanced Emulator Detection analyzes various facets of the hardware and phone configuration to identify apps running within emulators.
- App Usage Analysis evaluates prebid requests and impression patterns to analyze user behavior within a given app for indicators of device spoofing and malicious app behavior (such as background activity).
- Custom Packet Sniffer listens to ad requests from the app and can load any ads returned. Forensiq can then record on and off-screen activity to compare what is showing on screen to the actual ads loaded by the app. The sniffer does not use a proxy so the app will not know that its network activity is being monitored.
Our advanced app fraud protection identifies and blocks ad fraud—including spoofing—so you can eliminate costly, ineffectual marketing spend and keep your inventory safe.
Want to Know More About Spoofing and Ad Fraud and What You Can Do? Find out all the ways ad fraud occurs and how Forensiq can keep your ad spend safe—as well as ensure ad viewability, domain and app placement integrity, and brand safety—by downloading Impact’s eBook, Staying Ahead of Mobile Impression Fraud.
