The Click Fraud Blog | ClickCease
SDK spoofing is a major form of mobile ad fraud

Spotting SDK Spoofing & Mobile Ad Fraud

Mobile now accounts for the majority of internet traffic. In fact, with 6.39 billion smartphone users in the world, more people consume internet based media than TV.

This makes mobile internet advertising an increasingly important platform for digital marketers. And it also means that cybercriminals are focusing their efforts on finding ways to scam and make money from mobile.

The primary way to skim money from digital ads is by using mobile ad fraud. This normally involves some kind of SDK infiltration using malware. Before we go further, let’s break down what this means.

What is SDK Spoofing?

SDK spoofing is when a software development kit (SDK), which is a software bundle used for creating programs, contains a slice of malware code. An SDK can be used to create an app, a desktop program or a plug-in – although the kit itself will normally be for a specific use such as apps.

The malware element of these SDK’s is often hidden, usually in the form of a ‘back door’. This means that additional elements can be added later, or ‘side-loaded’, which basically means that once the software or app has been installed on a device, the malware portion is delivered via an update.

As SDK’s are the most popular way to build apps, developers are usually unaware of any malware.

There are many SDKs available, and a developer could churn out multiple apps a week for clients. If they’re using an SDK which contains a malware element, this could mean that hundreds or even thousands of malware apps are published unwittingly by developers. 

The SDK spoofing is often done without the knowledge of the app developer, or owner. But with some SDK’s open source, they can often be infiltrated and have malicious code inserted later.

With malware code now in place, the SDK can act as a bot, performing activity such as viewing ads, or performing click injection or clickjacking attacks to claim credit for installs. 

How mobile ad fraud works

Mobile ad fraud and SDK spoofing go hand in hand, and are some of the easiest ways to commit click fraud online. 

With mobile advertising now making up more than 70% of all online marketing, there is plenty of room for fraudsters to get creative.

Ad fraud is the process of generating fake views or impressions on an ad to collect a payout. This is normally done by spoofing a website, meaning creating a faked website, and then hosting ads on the page. Bots are then used to generate impressions and make advertisers money.

With mobile ad fraud and SDK spoofing, the malware elements of these fraudulent apps can simply view ads on a hidden web page or within the app. 

Examples of SDK Spoofing & Mobile Ad Fraud

One of the most infamous examples of SDK spoofing is DrainerBot. This malware baked into an SDK was used to generate views on video ads without the knowledge of the device users. By running videos in the background, DrainerBot used masses of data and battery, sometimes sucking up 10gb of data in a few weeks.

The DrainerBot SDK was distributed via a company based in the Netherlands, although they denied all knowledge of the malware. However, it’s thought that apps containing DrainerBot were downloaded more than 10 million times by unwitting users.

Another well known SDK infiltration and ad fraud example is SourMint. Using an SDK called Mintegral, SourMint is thought to have been one of the biggest SDK spoofing operations to have occurred on iOS devices. 

With three and a half thousand apps built using Mintegral, it’s thought that SourMint apps had been downloaded billions of times over a number of years. 

SourMint used click injection to claim fake installs and also generate fake impressions on display and video ads.

Click injection and fake installs

SDK spoofing is often used to refer to the act of click injection, or click jacking. This is where the malware element will use genuine user engagement (a screen touch) to click on multiple hidden elements hidden on the screen. 

These hijacked clicks can then claim credit for app installations, ad clicks and even sales. 

Even if a user does genuinely install an app later, the malware can claim credit for organic installs. So the SDK spoofing results in unearned payouts to a fraudulent party, with the legitimate publisher losing out on both revenue and, potentially, reputational damage too.

It’s also worth noting that these fake installs can be attributed via SDK spoofing from apps, extensions or even some websites. 

The impact of SDK Spoofing and mobile ad fraud

The obvious impact of this form of ad fraud is financial. Advertisers are paying out for fake clicks or installs, and device users are paying in data and battery use. 

Research by the University of Baltimore together with Cheq found that ad fraud cost marketers over $35 billion in 2020. The majority of this is thought to occur via mobile devices. 

Beyond the financial impact, SDK spoofing also skews analytics and ad performance. If you’re paying to advertise on a mobile app ecosystem, and it looks like you’re getting lots of clicks and conversions, you might think that your ad budget is well spent. 

If, however, a large percentage of these clicks and impressions are faked then would you continue to pay the same or more to these platforms.

The problem of ad fraud is even exacerbated by advertisers using retargeting campaigns. These fraudulent click sources are then targeted with remarketing ads, meaning advertisers are paying out multiple times for bad clicks. 

How to spot (and block) mobile ad fraud clicks

With all click fraud and ad fraud, there are giveaways that traffic is not coming from genuine human users. SDK spoofing often magnifies the effects of clicks from genuine users, or generates views without the users knowledge. 

The most common way to spot fraudulent traffic is the high volume of clicks, or traffic surges. This, coupled with high bounce rates, tends to indicate that some kind of bot fraud or fake traffic is occurring.

When it comes to mobile ad fraud, especially fake installs, another giveaway is the time to install. Most organic app or software installs occur within one hour of the first click, ideally within ten minutes.

In fact, less than 25% of installs happen an hour after the first click. If your time to install is looking particularly high, this should be a major red flag.

Spotting IP address duplicates, or suspect activity from certain IP addresses is also key to spotting fraudulent traffic. Although it’s possible to spot and block traffic manually, it can be extremely long winded and time consuming. So, increasingly, companies are turning to automated software solutions for dynamic fraud prevention.

The best fraud prevention solutions

ClickCease and Cheq both offer functionality to prevent mobile ad fraud and reduce the impact of SDK spoofing. With the analytics offered by ClickCease, advertisers can get an insight into how well their ads are really performing, and understand where fraudulent traffic is coming from.

Using ClickCease gives marketers extra control over their ad placements. With the best real time protection in the industry and a growing blacklist of known fraud sources, ClickCease protects more than twice as many ad campaigns as all the other click fraud prevention products combined. 

Protecting against click fraud and ad fraud has become a necessity for any business marketer. Sign up for a free click fraud audit with ClickCease and block those bots and fake clicks.

Find out more about click fraud and ad fraud in our complete guide.

Oli

Since working for ClickCease, Oli has become something of a click fraud nerd, and now bores people at parties with facts about click farms and internet traffic stats. When not writing about ad fraud, he helps companies to optimise their marketing content and strategy with his own content marketing business.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Block click fraud from ruining your campaign!

Most discussed