{"componentChunkName":"component---src-components-fraud-technique-js","path":"/protect-monitor/performance-fraud/mobile-incentivized-traffic","result":{"pageContext":{"category":{"id":"install-fraud","label":"Install","device":"mobile","pageTitle":"What is app install fraud? - Impact","summary":"Bad actors game advertisers’ CPI campaigns by collecting revenue for driving suspicious app installs where installers have zero intention of actually using the app.","fraudTechniques":[{"id":"mobile-device-id-reset-marathons","label":"Device ID reset marathons","pageTitle":"What is device ID reset marathons  - install fraud - Impact","summary":"Install farms or automated device emulators can exercise device ID reset marathons to replicate their exploitation ad nauseam, making the same activities only appear as if they are happening across many different devices.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Install farm worker clicks through from publisher site to app store","Install farm worker downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue","Install farm worker deletes advertiser’s app","Install farm worker resets the phone in order to obtain a new device ID","Participant in the install farm then repeats the process over and over to capture more CPI revenue"]},{"id":"mobile-inauthentic-engagement","label":"Inauthentic engagement","pageTitle":"What is inauthentic engagement - install fraud - Impact","summary":"By way of paid human engagement farms or scripted retention, fraud scheme operators will enact or automate post-install engagement if that is the advertiser’s payable event. For example, the bad actor may navigate past a certain level in a game to simulate authentic user engagement.","steps":["Malicious publisher has registered for advertiser’s CPI campaign, which only rewards a partner for driving an install after user has leveled up in the app","Malicious publisher sends proxied, automated traffic to a botnet of mobile devices","Malicious publisher installs advertiser’s app on all botnet member devices","Malicious publisher instructs botnet member devices to not just install advertiser’s app, but also to open the app and engage with the game up to the point of the first level-up","Advertiser attributes credit to malicious publisher for every install that reached level one, even though all installs came from bots programmed to play the app"]},{"id":"mobile-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic (un/mislabeled) - install fraud - Impact","summary":"Certain affiliates have been incentivizing installs by sharing their commissions with end users via benefits like rebates, social gaming credits, or donations to causes. When this incentivized traffic is unlabeled or mislabeled as non-incentivized traffic, it fraudulently collects a higher CPI payout than it’s actually worth as users coming from an incentivized download generally provides less long-term value to an advertiser.","steps":["Malicious publisher has registered for advertiser’s CPI campaign","User navigates to malicious publisher’s site","User is incentivized by malicious publisher site to download advertiser’s app, based on the promise of five extra lives in the app’s game","Malicious publisher does not label traffic as incentivized","User installs advertiser’s app","Advertiser attributes credit to and pays malicious publisher as if the install was not incentivized, meaning malicious publisher received payment for more value than it actually delivered"]},{"id":"mobile-proxy-tunneling","label":"Proxy tunneling","pageTitle":"What is proxy tunneling - install fraud - Impact","summary":"A malicious app, installed across a large share of mobile devices, can install malware that effectively converts that network of phones into a mobile botnet. This mobile botnet is remotely controlled by a botnet operator, which can leverage the hijacked IP of the device to mask the location of the operator while committing install fraud on a large scale.","steps":["Malicious publisher has registered for advertiser’s large CPI program","User downloads malicious publisher’s app","App installs malware that makes user’s device a member device of an operator’s botnet","Botnet operator reverse engineers the postback codes sent by advertiser’s app from its tracking software development kit (SDK) to the SDK’s servers","Botnet operator tunnels through proxy to instruct user’s infected device to send out a fake, manipulated postback signal to the same SDK servers to indicate that an install has taken place (even though it has not and user is none the wiser)","Advertiser attributes credit to malicious publisher, even though they provided no value and did not actually drive an install, and pays them a percentage of revenue"]},{"id":"mobile-install-farms","label":"Install farms","pageTitle":"What are app install farms - install fraud - Impact","summary":"Install farms employ hundreds of low-cost workers with real phones to install the apps of advertisers that reward partners on a CPI basis. In other cases, a fraud operator may set up a script within a mobile device emulator that automates the process of generating fake installs and in-app activity.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Install farm worker uses one or multiple devices at once to navigate to malicious publisher’s site","Install farm worker clicks through from malicious publisher site to app store","Install farm worker downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the useless install, and pays them a percentage of revenue"]}]},"technique":{"id":"mobile-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic (un/mislabeled) - install fraud - Impact","summary":"Certain affiliates have been incentivizing installs by sharing their commissions with end users via benefits like rebates, social gaming credits, or donations to causes. When this incentivized traffic is unlabeled or mislabeled as non-incentivized traffic, it fraudulently collects a higher CPI payout than it’s actually worth as users coming from an incentivized download generally provides less long-term value to an advertiser.","steps":["Malicious publisher has registered for advertiser’s CPI campaign","User navigates to malicious publisher’s site","User is incentivized by malicious publisher site to download advertiser’s app, based on the promise of five extra lives in the app’s game","Malicious publisher does not label traffic as incentivized","User installs advertiser’s app","Advertiser attributes credit to and pays malicious publisher as if the install was not incentivized, meaning malicious publisher received payment for more value than it actually delivered"]},"techniques":[{"id":"mobile-click-flooding","label":"Click flooding","pageTitle":"What is click flooding - install attribution fraud - Impact","summary":"An especially pernicious publisher may use their app to hijack a user’s phone and generate hundreds of ads in the phone’s background, also triggering automatic click events for each of those ads. These click events are intended to game advertiser’s CPI attribution models and occasionally may redirect the user to an app store.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User downloads malicious publisher’s app","App hijacks user’s device, loading hundreds of ads in the phone’s background and triggering automated click events for each ad","Click event may redirect user to the app store","At some later time, user organically downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue"]},{"id":"mobile-click-injection","label":"Click injection","pageTitle":"What is click injection - install attribution fraud - Impact","summary":"Click injection is a technique for winning last click attribution in CPI campaigns. It’s enabled on Android phones when a bad actor includes app code that uses the Android feature “Install Broadcast” to continuously monitor a user’s device for new installs. Based on this information, the publisher can send fake clicks just before payable post-install events occur.","steps":["Malicious publisher has registered for advertiser’s affiliate program that pays for installs once user has opened advertiser’s app","User downloads malicious publisher’s app","App features code that allows it to monitor user’s Android for all new installs","Malicious publisher’s app detects that user has just downloaded advertiser’s app","Malicious publisher injects fake click event","User opens advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue"]},{"id":"mobile-click-spoofing","label":"Click spoofing","pageTitle":"What is click spoofing - install attribution fraud - Impact","summary":"When advertisers rely on their publishers to self-report mobile click events server-side, they may be paying a fraudulent partner for reported clicks that never actually occurred. Unchecked, a malicious publisher may trigger a mobile click-tracking event in the absence of a legitimate click and claim attribution for organic installs or installs driven by other legitimate partners.","steps":["Malicious publisher registers for an advertiser’s affiliate program","User navigates to malicious publisher’s mobile website","User does not engage with an ad on the site","Malicious publisher fires click-tracking event anyway, mimicking or “spoofing” user’s engagement","After some time, user navigates to the app store organically or via a valid partner’s promotional effort","User downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install"]},{"id":"mobile-malvertising","label":"Malvertising","pageTitle":"What is malvertising - install attribution fraud - Impact","summary":"Malvertising can also be used to corrupt install attribution models. This technique occurs when bad actors purchase impressions to distribute ads they’ve injected with malicious code to trigger clicks to app stores. As these malicious ads send users to app stores without their consent, the often-innocent publishers that host malvertising collaterally suffer for providing poor user experience.","steps":["Malicious publisher has registered for advertiser’s affiliate program","User navigates to a mobile website","Website renders an ad with compromised HTML5 creative embedded with publisher’s affiliate link and malicious code to trigger a click event","Illicit click sends user to the Google Play store","In the future, user downloads advertiser’s app from the Google Play store of their own volition","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue"]},{"id":"mobile-device-id-reset-marathons","label":"Device ID reset marathons","pageTitle":"What is device ID reset marathons  - install fraud - Impact","summary":"Install farms or automated device emulators can exercise device ID reset marathons to replicate their exploitation ad nauseam, making the same activities only appear as if they are happening across many different devices.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Install farm worker clicks through from publisher site to app store","Install farm worker downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the install, and pays them a percentage of revenue","Install farm worker deletes advertiser’s app","Install farm worker resets the phone in order to obtain a new device ID","Participant in the install farm then repeats the process over and over to capture more CPI revenue"]},{"id":"mobile-inauthentic-engagement","label":"Inauthentic engagement","pageTitle":"What is inauthentic engagement - install fraud - Impact","summary":"By way of paid human engagement farms or scripted retention, fraud scheme operators will enact or automate post-install engagement if that is the advertiser’s payable event. For example, the bad actor may navigate past a certain level in a game to simulate authentic user engagement.","steps":["Malicious publisher has registered for advertiser’s CPI campaign, which only rewards a partner for driving an install after user has leveled up in the app","Malicious publisher sends proxied, automated traffic to a botnet of mobile devices","Malicious publisher installs advertiser’s app on all botnet member devices","Malicious publisher instructs botnet member devices to not just install advertiser’s app, but also to open the app and engage with the game up to the point of the first level-up","Advertiser attributes credit to malicious publisher for every install that reached level one, even though all installs came from bots programmed to play the app"]},{"id":"mobile-incentivized-traffic","label":"Incentivized traffic","pageTitle":"What is incentivized traffic (un/mislabeled) - install fraud - Impact","summary":"Certain affiliates have been incentivizing installs by sharing their commissions with end users via benefits like rebates, social gaming credits, or donations to causes. When this incentivized traffic is unlabeled or mislabeled as non-incentivized traffic, it fraudulently collects a higher CPI payout than it’s actually worth as users coming from an incentivized download generally provides less long-term value to an advertiser.","steps":["Malicious publisher has registered for advertiser’s CPI campaign","User navigates to malicious publisher’s site","User is incentivized by malicious publisher site to download advertiser’s app, based on the promise of five extra lives in the app’s game","Malicious publisher does not label traffic as incentivized","User installs advertiser’s app","Advertiser attributes credit to and pays malicious publisher as if the install was not incentivized, meaning malicious publisher received payment for more value than it actually delivered"]},{"id":"mobile-proxy-tunneling","label":"Proxy tunneling","pageTitle":"What is proxy tunneling - install fraud - Impact","summary":"A malicious app, installed across a large share of mobile devices, can install malware that effectively converts that network of phones into a mobile botnet. This mobile botnet is remotely controlled by a botnet operator, which can leverage the hijacked IP of the device to mask the location of the operator while committing install fraud on a large scale.","steps":["Malicious publisher has registered for advertiser’s large CPI program","User downloads malicious publisher’s app","App installs malware that makes user’s device a member device of an operator’s botnet","Botnet operator reverse engineers the postback codes sent by advertiser’s app from its tracking software development kit (SDK) to the SDK’s servers","Botnet operator tunnels through proxy to instruct user’s infected device to send out a fake, manipulated postback signal to the same SDK servers to indicate that an install has taken place (even though it has not and user is none the wiser)","Advertiser attributes credit to malicious publisher, even though they provided no value and did not actually drive an install, and pays them a percentage of revenue"]},{"id":"mobile-install-farms","label":"Install farms","pageTitle":"What are app install farms - install fraud - Impact","summary":"Install farms employ hundreds of low-cost workers with real phones to install the apps of advertisers that reward partners on a CPI basis. In other cases, a fraud operator may set up a script within a mobile device emulator that automates the process of generating fake installs and in-app activity.","steps":["Malicious publisher has registered for advertiser’s affiliate program","Install farm worker uses one or multiple devices at once to navigate to malicious publisher’s site","Install farm worker clicks through from malicious publisher site to app store","Install farm worker downloads advertiser’s app","Advertiser attributes credit to malicious publisher, even though they provided no value in driving the useless install, and pays them a percentage of revenue"]}],"previousTechnique":{"id":"mobile-inauthentic-engagement","label":"Inauthentic engagement","pageTitle":"What is inauthentic engagement - install fraud - Impact","summary":"By way of paid human engagement farms or scripted retention, fraud scheme operators will enact or automate post-install engagement if that is the advertiser’s payable event. For example, the bad actor may navigate past a certain level in a game to simulate authentic user engagement.","steps":["Malicious publisher has registered for advertiser’s CPI campaign, which only rewards a partner for driving an install after user has leveled up in the app","Malicious publisher sends proxied, automated traffic to a botnet of mobile devices","Malicious publisher installs advertiser’s app on all botnet member devices","Malicious publisher instructs botnet member devices to not just install advertiser’s app, but also to open the app and engage with the game up to the point of the first level-up","Advertiser attributes credit to malicious publisher for every install that reached level one, even though all installs came from bots programmed to play the app"]},"nextTechnique":{"id":"mobile-proxy-tunneling","label":"Proxy tunneling","pageTitle":"What is proxy tunneling - install fraud - Impact","summary":"A malicious app, installed across a large share of mobile devices, can install malware that effectively converts that network of phones into a mobile botnet. This mobile botnet is remotely controlled by a botnet operator, which can leverage the hijacked IP of the device to mask the location of the operator while committing install fraud on a large scale.","steps":["Malicious publisher has registered for advertiser’s large CPI program","User downloads malicious publisher’s app","App installs malware that makes user’s device a member device of an operator’s botnet","Botnet operator reverse engineers the postback codes sent by advertiser’s app from its tracking software development kit (SDK) to the SDK’s servers","Botnet operator tunnels through proxy to instruct user’s infected device to send out a fake, manipulated postback signal to the same SDK servers to indicate that an install has taken place (even though it has not and user is none the wiser)","Advertiser attributes credit to malicious publisher, even though they provided no value and did not actually drive an install, and pays them a percentage of revenue"]}}}}