The document presents an analysis of mobile ad fraud, focusing on the rising trends and types of fraud affecting app marketers, particularly within the gaming sector. It outlines the implications of fraud on acquisition budgets and overall business performance, highlighting specific mechanisms like install hijacking and bot-driven activities. The increasing financial exposure to fraud, estimated at $700-$800 million, necessitates attention to both non-organic retention rates and the fraudulent behaviors that exploit vulnerability in app marketing.

1. Mobile Ad Fraud Deep
Dive With AppsFlyer
Hands On Insights
Alexander Grach | alex@appsflyer.com | June 25th, 2018 | Warsaw

2. Average Number of Ad Networks Used
By Gaming App Marketers Globally
Installs Per App Networks Used
1M+ 15.2
500K-1M 9.8
100K-500K 5.1
10K-100K 2.8

3. Non-Organic Up, Organic Down

4. Non-Organic Retention Uplift Opportunity
Source: Top 5 AppsFlyer Industry Data Trends from 2017, and What They Mean for 2018

5. Short vs. Long Term Retention By Platform
Initially, both Android and iOS are neck and neck but
after three months iOS opens a significant gap
Android
+2%
1st month
iOS Android
+49%
iOS
After 3 months

6. Non-Organic App Retention Rates
Gaming (US, H2 2017)

7. Non-Organic App Retention Rates
Gaming (China, H2 2017)

8. Non-Organic App Retention Rates
Gaming (Vietnam, H2 2017)

9. Non-Organic App Retention Rates
Gaming (Brazil, H2 2017)

10. Non-Organic App Retention Rates
Gaming (Russia, H2 2017)

11. Non-Organic App Retention Rates
Gaming (H2 2017)

12. The Bleeding Cash Cycle

13. 30% Increase in Financial Exposure
Estimated Fraud Exposure
Mobile App Marketing
(Q1 2018)
$700-$800
MILLION

14. Fraud Rising
App Install Fraud Rate Trend

15. Fraud Comes in Waves
App Install Fraud Distribution By Type

16. Two overall types of fraud
- Hijacking Real Users
Real installs, fake attribution
- Generating Fake Installs
E.g. Bots

17. Hijacking real users
Effected by two types of fraud:
Activity Based Fraud (based on a real event)
- Install Hijacking
- Click hijacking
- CTIT
- Referer Hijacking
Spray and Pray Fraud (Random)
- Click flood

18. Hijacking real users
Fraudster Characteristics:
1. Simple mechanism
2. Needs an actual installation of the user
3. Low volume fraud ( need an actual user)
How does it affect your business?
1. Waste of acquisition budget - paying for NOI instead of organic Installs.
2. Wrong budget allocation
3. Effects only the acquisition budget as the customers are good customers

19. 1. Normal
Activity
2. Multiple Malware Detect
Activity, Sending False Click
Reports
3. First Launch
5 seconds 10 seconds 15 seconds 20 seconds 25 seconds 30 seconds
2 clicks in 5 seconds
1 click in 30 secondsNormal Click Distribution
Click to Click Time
Install Hijacking

20. 1. Normal
Activity
2. Multiple Malware Detect
Activity, Sending False Click
Reports
3. First Launch
5 seconds 10 seconds 15 seconds 20 seconds 25 seconds 30 seconds
10 clicks in 15 seconds
1 click in 30 secondsNormal Click Distribution
Click Cluster
Click Cluster
Install Hijacking

21. Referrer Injection
Install Hijacking
Referrer Data

22. Hijacking Effect on Organic

23. Hijacking Effect on Organic

24. Generating Fake Installs
Using the following mechanics:
1. Bots
2. SDK Manipulation
3. Device ID Resetting ( Device Farms)

25. Generating Fake Installs
Fraudster Characteristics:
1. Sophisticated Mechanism
2. Needs to create the full journey click+install
3. High volume fraud-> no need for an actual user. There is no limit for this fraud
4. Need to invest money to generate the fraud. Buying IPs, AdvertiserIDs etc.
How does it affect your business?
1. Waste of acquisition budget
2. Effects the entire business KPI.
3. Effects retention, survivability, conversion and funnel reports.
4. Effects the measurement of your core business.

26. Bots:
Non-Human Behavioral Anomalies

27. IP Mismatches
Click to Install

28. IP Anomalies
Carrier Data

29. Looks like legit traffic

30. CTIT Anomalies
Bot Traffic

31. Server Traffic
Finding Bots

32. Device Anomalies
Finding Bots
Metadata Indicators
- Model
- Brand
- Carrier
- Language
- OS
And more...
Brand/Model
Oddities Normal Abnormal
Language Distribution

33. iOS Device Anomalies
Finding Bots
Normal Abnormal

34. Device Anomalies
Finding Bots
Normal Abnormal

35. User Agent Anomalies
Finding Bots
Normal Abnormal

36. Referrer Anomalies
Fraud Site IDNormal Abnormal

37. Cross-App User Behavior
Finding A Bot

38. Cross-App User Behavior
Finding A Bot

39. Programmatic Behavior
Finding Bots

40. SDK - Reverse Engineering Protection

41. Advertiser Device ID Reset
How They Hide
● Regularly refresh IP Addresses
● Limit Ad Tracking to hide devices
● Reset DeviceIDs to hide devices

42. Thanks!
alex@appsflyer.com