Development, Testing, and Beyond—Preventing In-App Fraud

As is true with most successful marketplaces, app stores attract fraudsters looking to benefit themselves on someone else’s dime. With millions of apps available on multiple store platforms, policing each app for fraud has become increasingly difficult. 

Bad actors in the app fraud space have one primary source of motivation: generate revenue through misrepresentation. The goal is the same, whether the fraud originates through human or non-human traffic, to impersonate a legitimate user in order to access funds or data. As a result, app developers and advertisers need to know how these schemes operate and what they can do to prevent them from wrecking their business plans.

Fake or Stacked Ads

Almost every time an app runs, advertising activity occurs in the background. Unseen by the user, invisible auctions behind the scenes determine which ad(s) get seen. Every day, billions of legitimate ads are placed in front of the eyes of consumers, making this type of advertising both incredibly profitable and an attractive target for fraudsters. 

Sometimes ad fraud is perpetrated through ad spoofing, a.k.a. fake ads. This frequently occurs when ad inventory is sold fraudulently to advertisers. Their ads are served on counterfeit websites or ad networks, often appearing on a website that mimics a legitimate one with a slightly different URL. As a result, the ads never appear in front of their intended audience, and the ad revenue results in profit for the fraudsters instead of translating into sales for the advertisers.

In ad stacking, multiple ads are placed on top of each other, with only one being visible to the user. The bad actor who stacks the ads gets the revenue for not just one impression but for as many ads that are stacked under the visible one. Similarly to being stacked, ads can be “stuffed” into a single pixel, completely unseen, yet still earning payout for false impressions. Bots and automated scripts may also contribute to the fraud’s game plan by simulating clicks and serving additional ads to bots. 

One particular cyber fraud scheme, referred to as Vastflux, was recently taken down after making 12 billion requests for fraudulent ads per day at its peak. More than 1,700 apps and 120 publishers were affected, with the scheme running on nearly 11 million devices. 

Vastflux was stopped just months after a similar fraud ring was taken down, when the scheme known as Scylla was disrupted after more than 13 million downloads from Google Play and Apple App stores. Yet, despite these impressive interruptions to major groups of bad actors, mobile ad fraud remains one of the most costly forms of cyber theft, with an estimated $81 billion in losses in 2022.  

One of the largest fraud finds in history was found in 2017 known as "Live Fraud Paper", where a potential $3 Billion a year was being stolen from advertisers through carefully crafted malware found in the Google Play Store.

Invalid Downloads

Perhaps you’re launching an app with an incentive for the first 1,000 installers. How can you be sure those 1,000 users are unique individuals… or even actual humans? These days, finding the answer isn’t simple. If you assume bots account for 40% of all internet traffic, it’s safe to presume 400 of those install incentives are going to bad actors. 

In turn, the “free” incentives can be monetized by those perpetrating the fraud at no benefit to you. At best, those 400 rewards are tied up in a fake user’s cart rather than incentivizing your real customers. If 400,000 per 1 million users are fake, that also drastically affects your user demographic data, weakening the effectiveness of your retargeting metrics. 

Fake downloads can also originate from install farms, which operate similarly to click farms in that real people initiate the actions. However, real people are not always legitimate users. Instead, install farms employ hundreds of low-cost workers who are paid to install apps on real devices by navigating through a malicious publisher’s site. 

Because the publisher has registered for the advertiser’s affiliate program, they earn on a cost-per-install basis. As a result, advertisers believe their ads are being placed in front of legitimate users, but they’re actually paying for useless and valueless installs.

Where In-App Fraud Is Most Prevalent

In 2022, consumers downloaded 255 billion mobile apps to their connected devices, up by more than 80 percent from 140.7 billion app downloads in 2016. With 255 billion apps to monitor and thousands being added to the marketplace every day, the competition for consumers is rampant, as is the opportunity for fraud. Apps of all types are at risk, but e-commerce, gaming, and finance apps are particularly popular targets for fraudsters.

• E-commerce: Bots and bad actors can use fraudulent techniques in e-commerce apps to scoop up limited edition or promotional items, skew analytics, steal customers’ credit card information, and create fake negative or positive reviews. 
• Gaming apps: Fraudsters will take over successful accounts of real users and sell them to others. This also puts a user’s credit card information at risk, and it very likely results in users losing trust in a gaming platform, potentially abandoning the app permanently. 
• Finance apps: Due to the nature of their content, financial management apps are at high risk of fraud, mostly from account takeovers. Bots attempt to steal money from accounts or pilfer user information, which can then be sold to another fraudster. 

What Can You Do To Stop Fraud In Your Apps? 

As an app developer, the only reasonable way to fight back is to have a robust security system in place. For instance, scanning for fraud must be done in real-time within the app, both before launch and on an ongoing basis. Without such protections, your company’s reputation, time, and budget are all at risk, in addition to your customers’ privacy. 

Fraudsters have highly complex and rapidly evolving technologies, so stopping them takes an even more sophisticated system. Anura’s solution will ensure the individuals that downloaded your app are real people, not bad actors, based on our ability to identify fraudulent traffic with an unmatched 99.999% accuracy rate. This saves your marketing budget for authentic downloads and conversions that deliver true value. 

Not just that, but before your app even launches, we can scan ad units for legitimacy to protect your advertisers from fraud. When you work with Anura, you can trust real consumers are installing your apps and that fraudsters are stopped before they can even get started.  

Reach out to Anura today to find out how we can help your next app launch be as successful as possible, protecting your company, your consumers, and your advertisers from fraudsters who aim to profit from your work.