3 Min. Read 102Shares

The Mobile Fraud Study We Didn’t Want To Publish

Danielle Blumenstyk Peterman Sep 20, 2017

Sometimes, our data scientists bring us reports that are so outlandish it seems like they can’t be true. In January of 2017, we came across a new type of fraud. The numbers we saw were simply too outrageous to publish. So we waited, collected more data, tested and validated our findings. Six months later, we set to work creating this data study – the largest mobile fraud-data study ever conducted. In it, we explore how the market missed over 50% of all fraud, and how 10 cents out of every dollar spent on mobile app growth goes to fraud. Globally, advertisers will lose an estimated $2.2-$2.6 billion to app install fraud in 2017, with a staggering $1.1-$1.3 billion of that going to DeviceID reset fraud.

The Backstory
Last September, we revealed that a new development we created to identify mobile fraud from device farms, introducing the world’s first and only protection from this fraud, DeviceRank. At launch, DeviceRank protected against DeviceIDs known to be perpetrating fraud, and flagged DeviceIDs suspected of fraudulent activity for further analysis.

Shortly after launching DeviceRank, one of the largest marketers in the world approached us, with a large number of installs that they suspected, but could not prove, were fraudulent. Further analysis using DeviceRank revealed a new type of fraud – DeviceID Reset Fraud. With DeviceID Reset Fraud, criminals running device farms (aka click farms, phone farms) use fresh IP addresses, click on real ads from real phones and generate real installs at scale. Not only that, they also reset their DeviceIDs between fraudulent installs, repeating this cycle at a phenomenal scale. This novel approach to fraud effectively hides their malicious activities behind real devices and fresh DeviceIDs.

Finding DeviceID Reset Fraud
Finding a fraudulent fresh or “new” DeviceID wasn’t easy. To start, we ran a regression analysis on our massive mobile engagement database. These analyses showed that few media sources were trafficking in high concentrations of “new devices” (devices without any previous engagement in the Protect360 database).

However, when running the same regression analyses at the sub-publisher or SiteID level, we began seeing massive volumes of installs from SiteIDs sending 80%, 90% or even 100% new devices. This raised all kinds of red flags. We tested multiple hypotheses to explain this behavior. Were these newly released devices? Were they pre install campaigns? Were they coming entirely from Android or iOS?

Unfortunately, the data clearly showed that these high concentrations of “new devices” were in fact a new type of device farm-driven device fraud. We immediately added reporting on these “new devices” to our anti-fraud platform (now called Protect360). Marketers with access to these insights quickly recognized millions of dollars in fraud savings. The feedback was phenomenal.

However, marketers and their network partners needed both a better understanding of this type of fraud, as well a faster, easier way to combat DeviceID Reset Fraud.

Providing More Information About DeviceID Reset Fraud
The early data about DeviceID Reset Fraud seemed too huge to be true. We dedicated resources to track this new type of fraud, and the results continued to amaze us. January’s numbers showed that DeviceID Reset Fraud comprised more than half of all mobile install fraud, more than every other type of install fraud combined.

Simply publishing these early numbers however, would be irresponsible. January could have had a higher than normal “new device” rate because of all the new phones purchased over the holidays. We took the cautious route, monitoring this trend over the next six months. The data held remarkably stable. This was clearly a new type of fraud. And it was hitting places we weren’t expecting, such as iOS, the US and Southeast Asia.

We determined the time had come to publish our findings. With data from 4 billion unique devices measured from leading brands around the world over a six month period, this compromises the largest mobile fraud data study ever published.

Upon discovering that DeviceID Reset Fraud accounts for over 50% of all mobile fraud, we also upgraded our own solutions to better protect against this new threat.

Blocking Advanced Fraud, Including DeviceID Reset Fraud
As we learned more about DeviceID Reset Fraud, we set out to not only detect it, but to automatically block as much of it as possible. After months of extensive testing and optimization, we have put in place the world’s first and only automated protection against known sources of DeviceID Reset Fraud – blocking this fraud at the SiteID level.

Furthermore, with the introduction of Validation Rules and Live Alerts, marketers can automatically block attribution from SiteIDs perpetrating DeviceID Reset Fraud. Lastly, to help our integrated partner networks identify and take corrective action, we enabled rejected install postbacks and created the option for transparent Protect360 reporting.

Next Steps
DeviceID Reset Fraud will not be the last type of advanced mobile fraud we find. As mobile spend continues to grow, bad actors will continue to invest and innovate. We are committed to delivering best-in-class fraud protection today, as will the team here at AppsFlyer.

Click here to get the full data study.

Comments