Research on mobile advertising cheating technology

There are three types of ads cheating in the app installation category:

Click Cheat: Fake click, real user Install cheat: Fake click, fake user contract cheat: Real click, real user

In red means cheating, grey is true.

Click Cheat

When a simulated click is made on a real user's device, The Advertiser is convinced that the ad has been clicked, even if the real ad is not displayed or clicked. This is a highly rewarding way to cheat because it only requires a fake click to get advertising revenue. For example, a security product uses a simulated click to cheat.

When a fraudster makes a simulated click on a real user's device, once the user installs the app himself, they get The advertiser's trust. Because such users are really interested in these apps, they behave like typical natural-flow users without leaving suspicious traces.

(1) Click Fill

By doing this, the cheaters will make a tag (tag), that is, the user as their own users (that is, they recommend these users to advertisers), in fact, the users of the download application and the behavior of the cheaters is not related, just because the cheaters used a forced click on the means, The credit for app installation is theirs. This is similar to the "cookie stuffing" in the web age.

(2) Visibility cheating

This is a way of traffic spoofing that uses ad stacks and pixel fills to cause users to not have the opportunity to see normal ad content.
Ad stacks are stacked with multiple ads, so only the top-level ads are visible and the underlying ads are invisible. Pixel fills are ads that show only 1 pixel size on the user's phone screen. This kind of advertisement, the user cannot see, but the statistic tool can be counted, still will be as the exposure advertisement and The advertiser settles, causes the advertiser to bring the economic loss. Other similar to the "1-pixel advertising" cheating is also reflected in the private replacement of advertising material, privately modify the length of the advertising material, and so on, a variety of tricks.

(3) Click Hijack

When an app is installed (naturally installed), the Android system emits a broadcast, and a malicious app (an app with adware spoofing code) will use this broadcast for click Hijacking. When a malicious app receives this broadcast, it will run malicious code to trigger a click event before the newly installed app opens. In this way, it looks like a cheat show ad that gives the user a final "click" event, resulting in ad revenue.
In other words, cheaters use malicious apps to hijack users ' devices and create a seemingly legitimate "adclick" at the right time to gain the CPI revenue.

(4) Click Brush Volume

Natural traffic installation users are of great value to app developers because they are downloaded without any advertising interaction, and they are likely to be downloaded from their own interests, or through app testimonials.
Natural-flow installation users are generally more quality than other users, they use the app longer, and may have a higher lifetime value than paid users. Tracking your app's natural traffic the number of installed users is often a good way to understand the overall health of your application. However, this happens when cheaters try to act as users of natural traffic. Some natural traffic is treated as cheating traffic, which allows app advertisers to pay for those natural traffic installations. This practice is often referred to as "natural traffic theft" or "swipe volume".
"Natural traffic theft" begins when a user logs on to a mobile Web page or a cheater-operated app. From that moment on, any kind of cheating can happen:

• A mobile Web page can perform a click in the background without a user-visible ad or an ad that can interact with it. A no-sense advertising SDK is used in this way, in the background by WebView loading JS code to perform the click operation

• When users use the app, the swipe software starts clicking in the background, which looks like the user has interacted with the ad
• If a cheater runs an app that runs in the background (such as launch, memory Cleanup tool, battery optimizer, etc.), it can generate clicks at any time.
• Cheaters can report ad impressions and click events, making a view appear to interact with the user.
• A swipe person can send a click-through to a bogus device ID or through a resend list obtained from another advertiser to let advertisers track it.

What these methods have in common is that users do not know that they have interacted with the ad. In fact, they didn't see anything.

Install cheat

Install cheat is to deceive advertisers to track the installation is not happening on the real device, this form of deception can quickly expand the user base. However, these users are not interested in these installed apps, they are either hostile to the real human, or simply a robot that produces invalid traffic.

(1) Install the farm (app install farms)

App installation farms employ "farmers" to manually install and uninstall apps on mobile devices they provide. The purpose of these operations is not to use these apps, but to simulate real traffic within the app.

(2) Zombie Network

Cheaters use artificial or network transmission to the Trojan Horse/has the ability to redistribute the application to the user's mobile phone, the formation of botnets, through the use of cloud control technology in the background to send a unified command of the botnet, in the absence of user awareness, complete the app download, activation and deletion of a series of operations.

(3) SDK spoofing

SDK spoofing (also known as "replay Attack") is a fraudulent act that appears to have been installed without actually doing any real app installation to defraud advertisers of the rewards.
For SDK spoofing, fraudsters must hijack SSL-encrypted communications from the tracked SDK and its back-end servers for "man-in-the-middle attacks" (MITM attacks). After the MITM attack is complete, fraudsters will generate a series of URLs for the test installation for the app they want to forge. Because the URL request can be read clearly at this point, you know which URL calls in the app represent specific actions, such as opening first, opening repeatedly, or even different intra-application events such as purchases or upgrades. By studying which parts of these URLs are static, which are dynamic, and then preserving static portions (such as event tokens, etc.), test the dynamic parts of the ad ID, and then capture the returned results of real-time requests.
Developers can test whether the data they are constructing is correct by committing the installation event-related request and then matching it to a real installation session. If the installation event is successfully traced, you can prove that the installation logic has been successfully cracked. Therefore, SDK spoofing is just a simple trial-and-error of dozens of variables. Once the installation process is successfully traced, the fraudster can then construct a URL and then successfully install the forgery.

(4) Simulator installation cheat

This type of cheating is usually done through the data center using the simulator. Simulator cheating can be divided into computer simulator, mobile phone software simulation, script simulation.

• Computer simulator cheating refers to one or more machines on a lot of virtual machine running simulator to brush the amount, a little bit of strength of the cheaters can develop their own simulator and a dedicated server hanging in the engine room all over the country, or using a VPN constantly changing IP, for 24 hours uninterrupted brush volume.
• Mobile phone software simulation cheating refers to the installation of the simulator on the phone to cheat, the software can be bought from illegal channels, can also be customized according to their own requirements. After several years of development, mobile phone software simulation Brush Volume One-click installation has become standard. Some simulators can even dynamically modify the unique identity of the model, even small white users can easily forge new users. Part of the brush volume players combined with the PC era of technology, the production of automated scripts, a single PC a day can forge hundreds of thousands of new users. What's more, a depth-customized simulator will forge new pipelined
• Script simulation is the use of some scripts to simulate the user's behavior to cheat, this kind of current accounted for a lot more, the common method is to use ACC, is, IF, IG plug-ins, recording user behavior generated script, and set up a loop task, if you will use the Lua language and understand the business, and then the user behavior of research, It is not very difficult to make a script that simulates real users, and there are already some scripts that are not very different from the real user behavior, and it is difficult to distinguish them technically.

Contract spoofing

This type of cheating is characterized by the placement of advertisements in conditions or circumstances outside the terms of the advertiser's consent. This approach is used to attract lower-priced traffic while deceiving advertisers to get more revenue. This form of fraud attracts real users, but because they are not advertisers ' target customers, the quality or value of these ads is not what advertisers expect.

(1) Environmental deception

This type of spoofing refers to running ads in the wrong environment or in the wrong format. For example, while advertising platforms place ads on a site with a large access record, these people are not the target users the advertisers expect. So this is considered a contractual deception, because the ads are not put in the right environment.

(2) Non-disclosure of traffic incentives

Traffic motivation means that when a user clicks on an ad or installs an app, they get a certain reward, which is more appealing to the user, but does not guarantee that the user will be interested in the ad. If the advertising platform provides traffic incentives, and advertisers are not allowed to provide traffic incentives, then this is a contract cheat.

(3) Shoddy

The price of the traffic is usually different depending on the region (country) in which the user is located. such as video advertising first-tier city audience than the two or three-tier cities tend to sell at a premium. Stocks in the first-tier cities are often scarce. For profit motive, some media will be the advertisers originally targeted first-tier city users into two or three-tier city users, to achieve the purpose of shoddy. Region is a rigid label for users (easy to reach consensus), and similar to high-income groups such a direction, if the shoddy, in the evidence link of the communication costs will be very high.

(4) Non-disclosure of the re-agent

An undisclosed re-agent is an ad platform that violates an agreement to sell ads to third parties. In this case, when the ad is finally displayed, it may not reach the intended target audience, and the Advertiser may not be able to transparently know where the ad is ultimately put. Some advertisers do not want their ads to be transferred, which makes it easier to take control of their brand and information.

(5) Fraud arbitrage

Arbitrage is a necessary component of commercial advertising, bought at a lower price, sold at a higher price, i.e. "low buy high sell". Arbitrage itself is not considered fraudulent. In many cases, advertising networks use arbitrage to effectively improve efficiency and scale, which is also a form of contract cheating.

(6) Inductive advertising

This form of fraud mainly refers to the display of advertising in a misleading context. It will let the user accidentally click, or contain a decoy to induce the user to click, but the results are not what the user wants. Inductive advertising uses inductive information to trick users into interacting with ads, usually outside the contract provisions of the Advertiser and advertising platform.

(7) Domain name spoofing

In the real-time bidding process, fraudsters can use domain spoofing to intentionally replace their domain names with a better domain name to attract high-quality traffic, although advertisers believe their ads appear on a traffic source identified by a domain name. In fact, their ads are secretly displayed in a different domain name of the traffic source.

Resources:

www.tune.com/blog/types-of-advertising-fraud/
Http://www.199it.com/archives/703479.html
"2017 Advertising fraud white paper"