<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=134132097137679&amp;ev=PageView&amp;noscript=1">

Mobile ad fraud: What is mobile app laundering?

Oct 2, 2018 10:50:24 AM

In this post, Pixalate explains mobile app laundering, a type of mobile ad fraud and Sophisticated Invalid Traffic (SIVT) that costs advertisers millions of dollars. The mobile in-app landscape is rife with invalid traffic (IVT), with mobile ad fraud rates nearing 25%. Mobile app laundering is one of the most advanced ways in which fraudsters are stealing mobile app ad budgets.   

Mobile ad fraud: What is 'Mobile App Laundering'?

mobile-ad-fraud-what-is-mobile-app-laundering

Mobile Application (App) Laundering is the process by which low-valued or entirely illegitimate inventory in mobile in-app environments is sold to advertisers/agencies under the pretenses that the inventory is being delivered to potentially valid end-users on a legitimate, or series of legitimate, mobile applications.

In other words, the advertiser/agency ad content is delivered to a “laundered” app (as opposed to the legitimate app inventory bid on), or potentially even just to a dark screen or background process.

How does Mobile App Laundering occur, and why is it mobile ad fraud?

Monetizing illegitimate inventory through the process of mobile app laundering is predominantly driven by the prevalence of programmatic bidding environments. As these programmatic monetization platforms (e.g., SSPs) rely on a series of ad calls from the respective publisher application, the potential exists to disguise (or obfuscate) the actual final delivery point of the respective ad content.

In the case of mobile app laundering, fraudsters disguise the delivery of ad inventory to unsavory locations while mimicking the delivery of the ad content to legitimate mobile applications, oftentimes through a technique known as ‘mobile application spoofing’ or ‘Bundle ID spoofing’.

In the context of mobile app laundering, mobile application/Bundle ID spoofing occurs when the app on which the ad content is delivered (or ad impression event is generated/counted) is misrepresented via a fake or illegitimate app identifier (Bundle ID). For a technical overview of the processes involved in Bundle ID spoofing, refer to our step-by-step technical breakdown presented in our earlier blog post in which Pixalate uncovered an instance of sophisticated mobile app laundering activity.

See the apparent mobile app laundering via Bundle ID spoofing in action

Here is a video captured by the Pixalate analyst team detailing the apparent mobile app laundering in action:

 

What is the impact of Mobile App Laundering and mobile ad fraud?

Mobile app laundering is especially malicious in nature as techniques are predominantly developed to manipulate programmatic bidding environments. These techniques, as employed in programmatic, enable fraudsters to drive significant volumes of fraudulent traffic in short periods of time.

Sophisticated mobile app laundering techniques can be staggering in their overall impact on the digital advertising supply chain. Take for example the June 2018 instance in which Pixalate uncovered an apparent instance of sophisticated Mobile App Laundering.

In this situation, a well-trafficked and highly user-reviewed mobile application utilized a series of Bundle ID spoofing techniques in order to launder both display and video impressions. Based on Pixalate’s conservative estimates, the potential lost ad spend related to this single instance of mobile application laundering fraud could be in excess of $75 million per year. To see exactly how Pixalate arrived at this estimate, please refer to this shared Google Sheets document.

How the MRC IVT Guidelines & IAB Anti-Fraud Principles and Proposed Taxonomy address mobile ad fraud and Mobile App Laundering

The Media Rating Council, Inc. (“MRC”) has published extensive guidance related to the identification and treatment of invalid traffic (“IVT”). Within the context of the MRC IVT Guidelines Addendum, mobile app laundering is an invalid traffic type which typically constitutes sophisticated invalid traffic (“SIVT”) as it is likely to only be identified through the employment of complex, data-driven SIVT detection and filtration techniques.

As transactions associated to mobile app laundering schemes oftentimes appear valid/legitimate at face value, it is highly unlikely that such fraud is detected via general invalid traffic (“GIVT”) techniques, which are usually parameter or list-based in their approach. Refer to our earlier thought leadership blog post for additional detail regarding the distinctions between GIVT and SIVT.

Mobile App Laundering most closely aligns with ‘Falsely Represented’ content

In the context of the IAB’s Anti-Fraud Principles and Proposed Taxonomy, which presents a categorization of various IVT sources, Mobile App Laundering would most closely align with ‘falsely represented’ content as the foundation of the fraud is occurring through the delivery of ad content to illegitimate mobile applications unbeknownst to the advertiser/agency bidding on the inventory. This is similar in concept to falsely represented sites.

Depending on the nature of the mobile app laundering scheme and the level of penetration by the ad fraudsters, such schemes can include characteristics of any of the following IAB-defined IVT classifications (amongst others). The following definitions come from the IAB's Anti-Fraud Principles and Proposed Taxonomy:

  • “Falsely represented – html or ad calls that attempt to represent another site or device or other attribute, other than the actual placement e.g., referrer spoofing”
  • Hijacked device – any user’s device (browser, phone, app or other systems) that has been modified to call HTML or make ad requests that are not under the control of a user and made without the user’s consent. These include:
    • Hijacked device with a fully automated browser – a hijacked device where the device is a browser and the modification is that the browser is hidden from user view and engaged in making HTML or ad calls.
    • Hijacked device with session hijacking – a hijacked device where a user is present and additional HTML or ad calls are made independently of the content being requested by the user. Ads and redirections are inserted into the user experience by the program running on the device.”
  • Crawler masquerading as a legitimate user – a browser, server or app that makes page load calls automatically without declaring themselves as a robot, instead declaring a valid regular browser or app user agent where there is no real human user.
    • Advanced – declares a user agent string normally associated with human activity, and also renders the page.
    • Basic – only declares a user agent string normally associated with human activity, does not render the page.”
  • Hijacked Tags:
    • Ad Tag Hijacking - Taking ad tags from a publisher’s site and putting them onto another site without the publisher knowledge.
    • Creative Hijacking - Copying the creative tags from a legitimately served ad so they can be rendered at a later time, without the consent of the advertiser or their contracted service provider.”
  • “Contains malware – malware is found on the site or the app contains malware.”

Within the context of the MRC’s Interim Guidance specific to SIVT in Mobile In-App, the MRC guidance outlines various mobile in-app characteristics/evaluation criteria which should be considered from an internal control framework perspective. Additionally, there are many specific considerations outlined with respect to the development, refinement and deployment of SIVT detection solutions in mobile in-app environments. The specific additional considerations outlined by the MRC guidance related to SIVT within mobile in-app environments is dissected in further detail here.

Search Blog

Follow Pixalate

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.

Subscribe to our blog

*By entering your email address and clicking Subscribe, you are agreeing to our Terms of Use and Privacy Policy.