The Rapid Evolution of Mobile Fraud | AppsFlyer
2 Min. Read

The Rapid Evolution of Mobile Fraud

Avatar Jon Burg Apr 04, 2018

On Monday, we kicked off the #FoolsNoMore initiative, a new annual initiative that educates and empowers marketers with fresh insights and recommendations for combatting mobile fraud.

Today, we are going to take a deeper dive into the changing face of fraud. While Device Farms remained a major threat in Q4 2017 and Q1 2018, we also saw a serious resurgence in bot fraud, as well the emergence of behavioral anomalies.

When we introduced automated protection against Device Farms and DeviceID Reset Fraud, this was the most common type of mobile fraud, representing just over 50% of all mobile fraud. Within weeks of the release, DeviceID Reset Fraud levels dropped dramatically. Over the following weeks, fraudsters changed their install patterns continuously attempting new attacks, and we repeatedly updated our DeviceRank algorithms, blocking even more fraud along the way.

Facing declining performance, fraudsters started experimenting with alternative attack vectors. They began sending hybrid attacks that utilized multiple attack tactics in tandem. They adapted to new protection solutions with remarkable agility, at times evolving in just days.


Q4 2017 – Q1 2018: Addressing The Rise of Bots and Behavioral Anomalies

To address the recent resurgence of bots, we enhanced our real-time bot protection, and developed a new technology that actively flags behavioral anomalies. The first generation of our new behavioral anomaly detection technology helped unmask new bot signatures.

For example, consider the bot below. This bot typically strikes at relatively low volume, across a very wide spectrum of apps, verticals and geos. By slowly draining a diverse set of campaigns across media sources and businesses, this fraudster effectively avoided detection for quite some time. However, because of the scale of our database as well as our anomaly detection platform, we were able to accurately identify and block this advanced bot.

Bot activity geo spread

Bot activity geo spread

Moving Beyond Bot Signatures, Developing Behavioral Analysis

Blocking a known bot signature is relatively straightforward. However, after months of research we have found a number of behavioral patterns that are clearly fraudulent, but do not share an identifiable common metadata signature that can blacklisted – other than the sub-publishers that are sending the traffic.

With the help of our new behavioral anomaly detection technology, we have tested and validated multiple new fraud behavioral patterns that are undetectable using traditional fraud prevention measures such as bot signatures or CTIT distribution. By analyzing post install behavior, such as event type, volume, engagement patterns as well as matching metadata, this solution automatically identifies emerging anomalies for further validation. Over the coming weeks, Protect360 will begin automatically blocking sub-publishers sending this clearly artificial traffic.

Early next week, we will share some additional insights into how we validate every fraud signature, optimizing marketer coverage without sacrificing data accuracy to false positives. To learn more about Protect360 or to schedule a complimentary consultation with our Protect360 team, please speak with your success manager or contact us today.