Adjust launches solution to battle new evolution of ‘SDK spoofing’ for app installs
The mobile attribution firm says this undiscussed kind of fraud can impact up to 80 percent of attributed installs in given campaigns.
Graphic from Adjust
Fraudulent reporting of app installs is one of the most common mobile-specific issues that confront marketers.
Ad campaigns promoting a new game app, for instance, are often set up on a pay-for-performance basis, so those responsible for convincing users to install receive payments for each app that is installed within the time window surrounding that campaign. But fake installs mean app publishers behind those campaigns end up paying for fakes.
Now, app measurement Adjust is out with a new solution that combats what it says is a very widespread — but rarely discussed — kind of app install fraud that started spreading last year. In fact, the company says, this kind of fraud can affect up to 80 percent of the reported installs for any given campaign.
It’s called SDK spoofing, or replay attacks. Adjust Fraud Specialist Andreas Naumann told me it’s the latest evolution in app install fraud.
In an earlier iteration of this type of fraud, he said, bad actors would watch the communication from a newly installed app and then emulate it. Here’s how that worked. After a normal app install, the SDK grabs some data from the user’s phone and communicates a URL to a company like Adjust that is verifying installs on behalf of advertisers.This URL contains some static data for that app, as well as dynamic data specific to that phone.
The fraudsters, he says, had figured out how to generate both parts of the communication, even though a valid app install never took place. The fraudster would use a computer to send the fake URLs using one or more techniques that hide the type of transmitting device. If this isn’t detected, the app publisher then pays for all of what appear to be app installs, even though some of them are fake.
‘Makes everybody look stupid’
Adjust and others have been working to detect and head off that kind of fraud, but now the fraudsters are taking things to the next level. According to Naumann, they have started to generate similar kinds of fake URL communications — except that now they’re coming from real apps, on real devices, both iOS and Android. Computers generate the fake communications and then use the real apps as proxies for transmission. It’s often one communication per app per phone, he said, which translates into lots of fake install communications because so many apps are being employed.
Naumann said the phone owners apparently don’t realize what’s happening, adding that it’s not entirely clear how the fraudsters get access to these apps. They may be disseminating them as malware, or malware in other apps may be hijacking legitimate apps on phones.
It’s “anyone’s guess” where the apps are coming from, he said.
Last year, Adjust piloted a free solution to this recent form of app install fraud. It’s now formally releasing it, and the company is making a point of talking about this kind of fraud.
In Adjust’s solution, an algorithm in the Adjust SDK on the app generates a unique hash — a sequence of numbers that cannot be reverse-decoded to find out how it was created.
Each app install generates a completely unique hash signature that is reliant on what Naumann calls a “shared secret” that is placed by advertisers in the SDK. While the SDK is open-source and the algorithm is available, he said, fraudsters can’t generate the unique hash signal without access to this “shared secret.” The hash signature can’t be guessed or stolen, and it is used only once.
Nauman said that “nobody is talking about this [newest SDK spoofing], because it makes everybody look stupid, ” adding that attribution competitors Kochava and AppsFlyer are among those who have also released solutions for this kind of fraud. Unless the industry takes appropriate countermeasures, Berlin-based Adjust says, this kind of fraud will spread.