Spoofing is for real

David Murphy

Andreas Naumann, fraud specialist at Adjust, considers the threat posed by SDK spoofing.

Even in 2018, fraudsters continue to develop new ways to steal data and revenue from advertisers. SDK spoofing is the latest form of mobile ad fraud, plundering advertisers’ budgets by generating legitimate-looking fake installs.

SDK spoofing (aka replay attacks) is a form of ad fraud that has been spreading rapidly. Fraudsters use the device information of unsuspecting users to fake app installs. The connection is real; the device data is real; the device is real - which makes it incredibly difficult to detect SDK spoofing. Once the scheme is complete, advertisers are out of pocket and the end user is unaware that they’ve been a party to a scam. It’s bad enough that there’s no interaction between the user and the intended ad, but the bigger problem is that there is no actual install.

The damage is difficult to assess: according to initial investigations, it is distributed on any given campaign across all markets, with up to 80 per cent of all installations attributable to SDK spoofing fraud. This means that advertisers could be losing 80 per cent of their ad budget on a single campaign. As always, advertisers with the largest budgets and highest payouts per install see the most fraud.

How it all started
Until now, the visibility and understanding of a URL structure in the early stages have been very low, making it easier to detect and block spoofing attempts. Fraud attempts came from data centres or VPNs (Virtual Private Networks), and the data was often nonsense, or the URL parameters were filled with data that did not meet its intended purpose. Over time, the fraudsters discovered why their fake installs were blocked and adapted their methods accordingly.

Since mid-2017, fraudsters have been collecting real device data. They do this by using their own apps. The intent of their data collection is malicious, but that does not mean that the app has no added value for the user. On the contrary, the more useful the app is, the greater the number of users and thus the available amount of data to be garnered.

A source that generates real device data makes life much easier for fraudsters. They no longer have to randomize or curate data because they now have access to real device data. Since fraudsters can break open the SSL and read the URLs for all server-side connections in plain text format, they can understand which URL calls represent certain actions within the app, e.g. opened first, repeatedly opened, and even various in-app events such as purchases and more.

With callbacks and near-real-time communications that demonstrate the success of installations and events, the imposters can now test their setup by simply creating a click and an appropriate install session. It’s just continuous trial and error. Once an installation is successfully tracked, the scammers have found a URL logic that allows them to simulate installations from scratch.

To make matters more difficult, this huge leap in the evolution of fraud goes hand-in-hand with a second and equally effective step in the sophistication of SDK spoofing: URLs are no longer retrieved from data centres or through VPNs. Instead, they are routed directly through the app, which the fraudster has access to on the device of an unsuspecting user. Instead of sending this URL directly to Adjust’s server (or through an anonymizing network), the fraudsters now send it to their app or the app they have access to on a user's device and the app then executes the URL on the user's device.

How the problem can be solved
In order to prevent replay attacks (SDK spoofing), we had to test many different methods before we finally found a solution. A signature hash that cannot be guessed or stolen, and used only once, adds a new dynamic parameter to the URL. The additional common parameter must be generated for each app to be backed up. To do this, marketers have to get in touch with their attribution company in order to develop a solution together.

The chance that you yourself are affected by SDK spoofing fraud increases with the number of marketers who protect themselves from the new type of fraud. Because one thing is certain, when opportunity costs increase, SDK spoofing will continue to spread and target smaller budgets too. It's only a matter of time before we see high rates of SDK spoofing installs across the
whole market.