Fraud: The invisible enemy of every App
A data-driven culture can be crucial to avoid millions of dollars in fraud losses.
By Santiago Massau, Principal Data Analyst at etermax
“Cut off one head, two more will take its place.” Like the myth of the Hydra, App fraud is one of those problems that can come back to haunt you even after you think it is dead. And, like the organization of the same name in the Marvel Universe, it is capable of going years undetected until it is too late.
In this article we explore one of the ways in which the use of data can help find these hidden cases.
“Harvesting” installations
With investment in Mobile Advertising growing at an unprecedented level, at an estimated 58% of the advertising market, so is the number of people who want to take their slice of the pie in a dishonest way.
One such example is the creation of “fake” installs. An application that decides to advertise to boost its growth may suddenly find that the quality of its users has dropped dramatically while the quantity has gone up.
If that happens, we have to consider the possibility that we may be acquiring installs from a “device farm”. In its most rudimentary form, it looks like a company with workers stacked in warehouses full of cell phones, performing clicks, likes and installs to inflate the success metrics of an ad campaign, such as Click-Through Rate.
A more refined and modern version are Bots, which can perform these same interactions but with no human intervention. A fact: almost 3 out of 4 fraud cases detected in LATAM by the attribution platform Appsflyer were Device Farms or Bots. An App can ignore this reality only at its own risk.
Where does data come in?
If there is the possibility of fake installations in your app, a Data Analyst will look for abnormal patterns in the user’s post-installation behavior. A first filter will be to observe the number of users who have successfully logged in: a bot may find itself stopped at this stage, unable to perform the action of inserting a new email and password. Applications that do not have Logins can use some other common event in the user’s initial path, such as starting the game tutorial, instead. A high percentage of installations that do not reach this point should raise alarm bells.
Some Bots or Device Farms, however, may go a step further in their sophistication. For those cases, we can look at the number of users who performed a “crucial” event within our app, such as initiating a trip in a transportation App. We will analyze these metrics at different levels of aggregation: advertising campaign, App Publisher where we acquired that user, brand and version of the mobile device or geographic region of installation.
If we still don’t find concrete evidence, we can look for the distribution of installs by IPs: a high proportion of users with the same IP and similar behavior should be, at the very least, suspicious.
Visualizing fraud
The threat of Bots and Device Farms are not merely a matter of the theoretical plane. Recently, we were able to directly feel one of these attacks in a user acquisition campaign in the United States, during the testing of a new provider.
The Marketing team became suspicious while observing irregular post-acquisition metrics, and an analysis was performed together with the Data team to confirm the possibility of a Fraud case.
The truth quickly came to light. Our first evidence was in the observation of users who failed to advance from the registration step but still returned to the application multiple days after installation. There, it became clear that over 55% came from just two states, Nebraska and Missouri.
Even more striking was the fact that more than 90% of the campaign installations in these two states came from only 3 cell phone models, none of which were among the most widely used by users in the area prior to the start of the campaign.
With this case behind us, it was the Data team’s responsibility to proactively respond to these cases in the future, and detect them as early as possible.
Our response was to generate an automatic alert that would inform the team via Slack when an ad campaign exceeded a predetermined threshold of suspicious installs. This method allows us to ensure that each “head” of the Hydra does not regenerate again in the future, perhaps in a different country or ad network.
Conclusion
We may feel safe, but the fraud “heads” are here and will continue to appear over time. Other types of fraud such as Click Hijacking, Click Flooding and SDK Spoofing also coexist in the Mobile Advertising ecosystem, all with the same goal of illicitly enriching themselves at the expense of unsuspecting Marketing departments.
In the face of this, a proactive and non-conformist attitude from the data analyst is what will most likely be able to eradicate enough of these threats to keep us safe.
