So-called SDK Spoofing Fraud accesses users’ devices and fakes app installations
SAN FRANCISCO / BERLIN – Fraud experts at Adjust, the world’s leading app measurement company, have launched a solution to eradicate a completely new form of ad fraud, which has been spreading rapidly throughout 2017 and gaining momentum in 2018.
In so-called SDK spoofing, or replay attacks, fraudsters attack without the knowledge of users on their personal devices and use the information to fake app installations. This fact makes SDK spoofing more difficult to identify because the devices used actually exist and are credible as install sources. The fraud attack goes undetected by the end user, and can affect anyone’s device at any time. The bottom line is that there is no app installation on these credible devices – the advertisers are out of pocket and the end user is unaware that they’ve been a party to a scam.
“The connection is real, the device data is real, the device is real. It is bad enough that there is no interaction between the user and the promotion for the advertised app. But, the bigger problem is that there is not even an actual installation,” commented Andreas Naumann, Fraud Specialist at Adjust, on the discovery of the SDK spoofing fraud.
To prevent SDK spoofing, Adjust has developed a signature hash, which is now available to all customers regardless of the use of Adjust’s Fraud Prevention Suite, with the release of SDK version 4.12.
SDK spoofing is a huge leap in the evolution of fraud.
According to initial investigations, it is globally distributed across all markets, with up to 80 percent of all installations attributable to SDK spoofing fraud, meaning that advertisers could be losing 80 percent of their ad budget on a single campaign. Advertisers with the largest budgets and the highest payout per install see the most fraud, however, this fraud affects potentially everyone. According to Adjust, SDK spoofing has not yet reached its limit and will grow rapidly without appropriate industry-wide countermeasures.
Since 2017, the trend can be seen that fraudsters have been increasingly collecting real device data. They do this by developing their own apps that offer real value and are used by a high volume of users or by exploiting the apps they have access to through a service offered by way of a monetization SDK installation. With the help of the device data, fraudsters can now simulate installations and trigger these events on the device of the unsuspecting user. The marketing budget of the app developers thus flows into apparent Installs of real devices that do not actually happen.
Adjust Develops Solution Against SDK Spoofing
Adjust has developed a signature hash that adds a new dynamic parameter to the measurement URL that can’t be guessed or stolen, and is used only once. Marketers have the option to renew the signature for different versions of their app. This will allow them to decline the use of the signature versions over time and ensure that the attribution is based on the highest security standards for the latest releases and that the older releases can be completely removed from being attributed.
This solution became available with the release of SDK version 4.12 (https://www.adjust.com/support/product-updates/released–new-sdk-for-ios-windows-and-android/) and is now available to all customers regardless of the use of Adjust’s Fraud Prevention Suite.
Adjust is mobile measurement company, that provides high-quality analytics and measurement solutions for mobile app marketers worldwide. With Adjust’s open source SDK, app marketers can measure and analyze user behavior, user acquisition, marketing ROI, user lifetime cohorts and much more. Adjust’s platform proactively keeps datasets clean through the Fraud Prevention Suite, verifies in-app purchases in real-time, and provides streamlined reporting for understandable, actionable, and comparable metrics. Adjust is a Facebook Marketing Partner, as well as a Twitter Marketing Platform Partner. Dynamic Adjust Integrations is used by over 1000 networks and analytics providers worldwide. Founded in Berlin in 2012, today Adjust has global offices in San Francisco, New York, Sao Paulo, London, Paris, Istanbul, Tokyo, Shanghai, Singapore, Jakarta, and Moscow.
Adjust is trusted by clients across Asia, the EU and the Americas, including leading app developers like Zalando, Rovio and Zynga, major software companies like Salesforce, Microsoft and Yelp, and global brands like Universal Music and Warner Bros.
Adjust is the only mobile analytics company to meet stringent EU privacy compliance standards. Adjust is funded by Target Partners, Capnamic Ventures, Iris Capital, Active Venture Partners, and Highland Capital.