Fake security features in mobile attribution SDKs

I often hear about security questions our customers are asking regarding our mobile attribution SDK security. It usually comes up when companies are evaluating a new attribution provider, and either submit an RFP/RFI document or run their own checklists. What’s interesting is that nine times out of 10, the SDK security questions center around two topics:

  1. Do you have an open/closed source SDK?
  2. Do you have an SDK encryption mechanism?

These questions are natural—stakeholders want to make responsible decisions for their business. This is especially true in today’s world where the MMP is the source of truth, one that fraudsters are constantly trying to manipulate.

The problem is: these mechanisms, and some others, are over-hyped by other MMPs and not real security measures. They’re the absolute basics, like remembering to lock the door when you leave the office. 

But they don’t offer any real protection. Instead, they provide a false sense of security.

In this article, I’ll explain a bit more about why SDK security is such a difficult problem, why the aforementioned mechanisms aren’t real security, and what Singular’s doing to continue to provide strong protection against fraud.

What’s so hard about securing the SDK?

SDKs are pieces of code that run inside a mobile app. Their main function is to collect and report data like app opens, user events, revenue, and metrics to a server (e.g., Singular’s servers). They also support some functionality like deep linking, fraud prevention, etc.

Since apps communicate with their servers over the internet, there’s an inherent challenge of verifying this communication is indeed originating from a real device and a real user.

As such, two of the most commonly used techniques for securing SDK communication are adding encryption and closing the source. The point is to make it hard to fake authentic communication, but it’s actually security through obscurity—which is a big “no no” in the world of security. As a result, advertisers have a false sense of safety and are easy pickings for fraudsters.

The best analogy is wax seals, used in the Middle Ages, to seal letters and authenticate the sender. Sadly, in today’s age, wax seals aren’t truly effective tools for security. Anyone motivated enough can find a way to produce perfectly similar wax seals, and fool the letter’s recipient into believing it’s an authentic communique.

mobile attribution

SDK encryption

A standard play in the obfuscation game involves attempts to use encryption to “verify” that the data being sent by the SDK to the server is indeed authentic data.

Encryption algorithms rely on a secret key established between two parties. In our case that would be the SDK and the server. The encryption algorithm, combined with the secret key, enables you to create authenticated, encrypted messages.

While this sounds like a marvelous idea, there is one small flaw in this plan. The SDK that resides inside the app needs to know the secret itself. Most apps that we know, even the paid ones, are publicly available for download in the App Store / Play Store, which means that anybody can get ahold of the secret key. Not so secret anymore… is it?

The way to extract the key is quite simple:

  • Download the app binary (APK for Android, IPA for iPhone)
  • Depending on the platform, you may need to decrypt the binary with publicly available tools
  • Reverse engineer the binary and get the SDK encryption key

For skilled individuals—certainly ones who are financially motivated (fraudsters)—this can be done in seconds if it’s automated by software, or minutes if done by hand.

Does closed source matter?

Probably the best example of security through obscurity is the claim some vendors make about how their closed-source approach is “essential when fighting ad fraud,” while other vendors claim they “live by open source.”

mobile attribution

Sadly, it’s all BS.

Since this is almost a religious matter for some people, I’ll avoid picking sides. Instead, I’ll simply explain why no option really provides security against faking SDK traffic:

  • Open source claims that by being open and transparent with your code, it’ll be easier to weed out bugs and to be audited. As such, you’re creating a more secure environment.

    The obvious downside is that your entire security mechanism is open for all, and you can see how it works (i.e., you can see how someone generates their wax seal).
  • Closed source claims that by being closed and obfuscated with your code, it’ll be harder to find bugs and be audited, and as such you’re creating a more secure environment.

    While it makes it difficult for people to understand how your security mechanism works, there are processes like reverse engineering that any semi-skilled fraudster could utilize that basically reveal something quite close to the original source code. Which means that if you try hard enough… you can still learn how the security mechanism works! 

What you need to understand is that it’s all an obfuscation game, and it’s not real security.

mobile attribution

How do we secure our mobile attribution SDKs?

First off, we do the basics. Closed-source SDK and SDK encryption are the basics, and we’ve done them since the first version of our SDK.

mobile attribution

Second, we developed proprietary methods for iOS and Android that leverage a chain of trust. This chain helps enforce that devices communicating with our servers are real devices, owned by real people.

As the leader in enterprise fraud prevention, Singular is the only vendor with these capabilities. Using this technology, we’ve saved our customers from wasting hundreds of millions of dollars on fraudulent activities. This is not just us raising the bar, but making it virtually impossible to spoof our traffic.

If you’re unsure about your current security and want to talk to our fraud and security experts, come talk to us: fraud@singular.net.

The new ad fraudsters: how today’s sophisticated ad fraud criminals steal marketing dollars

Mobile marketers know that ad fraudsters are legion and that ad fraud is a multi-billion dollar problem. You’ve probably also heard that Singular has a deterministic fraud solution that is saving existing clients hundreds of thousands of dollars monthly.

But what is Singular saving clients from?

And what are the ad fraudsters doing now?

Ad fraud is continuously evolving in an ongoing arms race against fraud detection and marketer flight to quality traffic. Knowing which ad impressions are real — and which are fake clicks; detecting fraudulent activity and doing it all in a real-time bidding environment … it’s not easy. That’s something that our anti-fraud department takes very seriously, studying bad actors’ latest techniques to ensure that Singular clients get the advertising they pay for.

I spent some time with the head of Singular’s ad fraud detection team to understand what’s new in mobile ad fraud. And also, therefore, what’s working — and not working anymore — in ad fraud detection.

Ad fraudsters: new tactics

John Koetsier: There’s the common list of things ad fraudsters do that we see all the time … but what’s new?

Yonatan Komornik: Well, it’s interesting, because you’re seeing a wide spectrum of app install fraud. Many of the old, easier techniques are still around, but there’s also some brand-new higher-tech variations.

There’s physical device farms, which are very low-tech, and software-emulated devices in server farms, which are obviously bit higher tech. There are bots to provide traffic, and SDK spoofing, which requires a little more technical know-how, plus click injection and click spamming.

There’s also auto-clicking … sending a click for an impression that’s presented to a user — which might not even be a real user. You could have both a fake user and a fake click.

Ad fraudsters are still doing all these things, and maybe it’s old news. But they’re also doing them in new ways.

Click injection, for instance, is still around. But fraudsters are now using different technology to detect when an app is being installed. Two years ago they could rely on getting an app broadcast when an app finished installing. Now, they’ve found ways to detect when an app starts downloading.

John Koetsier: So CTIT (click to install time) is not very useful anymore — at least for higher-tech fraudsters?

Yonatan Komornik: Exactly.

And click spamming is still happening too, but sophisticated criminals are finding ways to detect which users are more likely to engage … so they’re not just click spamming everyone everywhere. It’s targeted.

You could do it by grabbing a lot of device IDs, then faking clicks once a week from those devices. But that’s fairly easy to find — they can get caught easily. So now they’re matching the IP address from which the click is being sent to an IP address that the device is likely to be close to … they’re choosing their originating IP address.

And they’re using machine learning to build models that predict which users are more likely to download an app or convert on an offer. Plus, if an app is regional, the smarter fraudsters are only targeting IP addresses in that region.

John Koetsier: Interesting. They’re following legitimate ad networks in learning which users to target …

Yonatan Komornik: And getting pretty good at it.

A newer technique, and one which is growing significantly, is SDK spoofing. Ad fraudsters are figuring out how to bypass existing ways to spot SDK spoofing. You can also see via the retention curve that now they’re faking retention: they’re spoofing additional sessions, and are ensuing that it matches a normal retention curve of an app in that vertical and location.

They will go to great lengths to make their KPIs seem normal … they’ll send post-install events, and try to spoof revenue.

Interestingly, when there’s a lot of SDK spoofing from some of the paid channels, you also see a ton of fake organics. My best guess: fraudsters are doing that on purpose to make their KPIs seem less suspicious. If they create a bunch of fake users, we see a sharp increase in organic installs.

Essentially, they’re offsetting it by creating more organic users. Then they can hide the uptick in paid installs in a flood of new “organic” users. That leads to additional problems, of course. Now they’re shifting the visible KPIs of organic users, so that when you try to find anomalies in paid acquisition by benchmarking to organics … you can’t.

John Koetsier: Most fraud detection is statistical. What’s the problem with that?

Yonatan Komornik: If I’m a ad fraudster, I want to avoid statistical detection. So I just create a new publisher ID every couple of hours. I can’t be tracked to any of them.

Then I drive five installs from each publisher … now statistical detection methods can’t find them, because they don’t have  enough data. Signing up for most ad networks or ad exchanges is easy: there’s no verification, and they pay you right away. Some networks are more careful … they will not pay publishers right away and will benchmark them for bot traffic, domain spoofing, ad viewability, brand safety, and so on.

But affiliate networks: they just take anyone.

Or, they’re mixing traffic. They’re driving fraudulent traffic and mixing it with authentic traffic. 100% fake installs is easy to detect, but if I drive 50% fake traffic and 50% real … it would just seem like my results or KPIs are low. But I don’t look super-fraudulent. Even if an app marketer is seeing 50% less retention, it’s pretty hard to say it’s fraud right away.

Also, this is generally very cheap traffic.

Some ad networks do this too. If you’re not ethical, and you need better profit margins … you can drive 10-20% fake traffic and boom, profits are up. A lot of people in the industry are trying to drive prices down, and when that happens … you can’t be too careful.

John Koetsier: How sophisticated are today’s fraudsters? Do they operate just like a regular software development team, with JIRA and other tools?

Yonatan Komornik: It depends. There are some small players, two-person teams, that probably don’t.

But there are definitely bigger players. That requires scale and teamwork … even multiple teams. Some of these are very geo-driven: they know their target market, they’re very familiar with a region, the networks, the people, and with the types of local users. So they’re able to target their attacks very effectively.

John Koetsier: One last question — if you’re a black-hat ad fraud engineer, how do you collect a lot of device IDs to target?

Yonatan Komornik: The easiest way: via real apps that collect this data. You install my flashlight app, and I can collect your usage pattern. I can also request a lot of permissions on my utility app.

Then, when I try to monetize my app, I might implement an SDK that pays me for some of this data, and then they engage in fraud. They’ll probably pay on a per-user basis, and they’re probably not very upfront about what they’re doing. Or it could even be an SDK that does something good and necessary … but also has data collection.

In addition, ad networks have tons of data. If they decide to go fraudulent, it’s pretty easy to do that, and then “boost” their click-through rates and ad spend.. You can also collect device IDs via RTB (real-time bidding) exchanges … just by starting to bid on impressions.

John Koetsier: Thank you for your time!

Next steps

Get a demo of Singular’s DETERMINISTIC anti-fraud solution, as well as our overall optimization, ad spend, and attribution tools.

And, pick up a free copy of Singular’s report: The Death of App Install Fraud.

On-demand webinar: Industry-first Android Install Validation

How are Singular clients saving millions of dollars annually? By killing fraud in their mobile marketing campaigns with Singular’s new industry-first Android Install Validation.

Now the on-demand webinar is available for you to get all the details.

You may have seen the news recently. VentureBeat, Ad Age, AdExchanger, and other media outlets reported on it just a few weeks ago.

This is a first-ever technology, and it’s having a massive impact on user acquisition campaigns. Singular is the only company that offers this method of fraud prevention. It’s important to note that  the fraud detection here is not a probabilistic guess: it’s a deterministic method.

android install validation fraud prevention

Essentially, we’ve found several datapoints from apps and Google Play that are practically impossible to forge and allow us to verify the authenticity of the install and the user.

Learn more in the on-demand webinar now

We all know the studies: marketers waste tens of billions of dollars annually thanks to fraudulent publishers and networks. (Check out our recent fraud report: we list a few of those studies).

But there are also hidden costs to fraud.

When you’ve got fraud in your advertising campaigns, you make optimization errors. You’re using faulty data to make decisions, so you add spend to channels that look good (but aren’t). Just as bad, you punish channels that look bad (but are actually excellent).

This will save us literally hundreds of thousands of dollars every month, and lead us to make more effective marketing decisions.

Channy Lim, Head of BI Department

The webinar is available here. In it, you’ll also get more details about how Singular’s anti-fraud technology works. Singular always looks for solutions that are deterministic, proactive, transparent, and customizable. Each of those is important for clients who want to keep their campaigns as free of fraud as possible.

In fact, one new client who tried Singular’s fraud solution for the first time discovered that more than 90% of the app installs they had been paying for from a particular network were fake.

One more thing:

When you watch the webinar, we’ll tell you how you can get a personal fraud audit — a #fraudit. You’ll see what the very same technology that Glu, Com2uS, and Cleartrip are using can find in your advertising campaigns.

Fixing a $13B problem: How Singular is killing app install fraud

You probably saw the news that we released last week: deterministic Android app install validation. This, along with a number of other improvements we’ve recently made, is a massive industry breakthrough that is completely game-changing for many of our clients.

Some of them are now saving massive amounts of money:

“Singular’s updated Fraud Prevention suite is the most powerful mobile app install fraud prevention I’ve seen,” says Channy Lim, Head of BI Department at Com2uS, maker of the hit mobile game Summoners War. “This will save us literally hundreds of thousands of dollars every month, and lead us to make more effective marketing decisions.”

The news is exciting, but I wanted to dive a little deeper.

I would like to share a little more detail about how app install fraud works, the problems with existing methods of finding it, and what we doing differently at Singular.

How app install fraud works

One of the ways fraudsters steal billions of advertisers’ dollars annually is app install fraud. Or, to put it another way: fake installs.

App install fraud is a collection of fraud methods that create fake mobile users and app installs. As opposed to attribution manipulation fraud, which steals credit for existing legitimate app installs, app install fraudsters take matters into their own hands and create app installs out of thin air.

There are multiple ways to perform fake installs fraud, and naturally, some are better than others.

The simplest and most low-tech way is a device farm. You get a bunch of devices, click a lot of tracking links, install a lot of apps, then open them, delete them, and reset each device’s Advertising ID (Android) or IDFA (iOS). Rinse and repeat regularly, and you’re collecting ad dollars.

But there are far more complex and advanced ways to perform fake installs that generate a lot more money far quicker.

One of the other ways fraudsters scale up their device farm operation is to use emulators and bots instead of real devices and real human beings who use the devices. This can be done in the cloud, and potentially on multiple servers in multiple locations, to try to look authentic.

One of the most notable techniques leveraged by smarter fraudsters is SDK spoofing.

Mobile marketers place software (an SDK) from a Mobile Measurement Partner (MMP) in their apps to monitor and measure the results of their marketing. In SDK spoofing, no app is ever actually installed … but an install is being reported to the MMP and potentially other analytics providers by faking the SDK’s traffic. This can be done by technically advanced fraudsters who understand how communication with the measurement service works and how to emulate that communication.

This is far more scalable than running a device farm, because once they have done the initial work, they can create a script to run on servers around the globe. That creates fake installs on fake devices. Alternatively, they can write code that can run on legitimate users’ devices anywhere, reporting installations of apps that have never been installed: fake installs on real devices.

Another example comes in the form of malware, where malicious apps install and run legitimate apps on real users’ devices. This happened for example with the Viking Horde malware. In such cases the user is real and the app is real but the install itself is fraudulent.

As fraudsters become more advanced they tap more and more into the power of the high-tech fake install techniques, and for good reasons. These attacks are highly scalable and hard to find, therefore netting the fraudsters huge amounts of money.

Detecting and preventing fake installs is hard

There are multiple ways to detect fake installs. The problem is that many are unreliable, inaccurate, and most importantly, ineffective.

SDK Message Hashing
Since SDK spoofing aims to fake an MMP’s SDK traffic, MMPs (including Singular) protect each message sent from the SDK. That’s typically done via hashing: taking the data from the message, a secret key that is different for each app, and combining them to create a blob of data that can be verified on the MMP’s backend.

The problem is that the secret is not so secret, as apps that run on users’ devices can create these hashes, so SDK fraudsters can extract the secret and algorithm from the publicly available app binary. At times they don’t even need to reverse engineer the algorithm since the SDK is open source.

Abnormal numbers of new devices
One interesting statistical technique to fight fake install fraud is to look for a high percentage of brand-new or never-before-seen devices coming from specific ad networks or publishers. When you see abnormally high ratios, it’s generally clear that something fishy is happening.

The problem however, is that fraudsters sometimes leverage existing devices or mingle their fake traffic with traffic from real devices, making it harder to spot anomalies.

Abnormal retention rate or other KPIs
Marketers can sometimes identify fraud by seeing abnormal rates of retention, in-app purchases, or other KPIs. For example, if your average retention is 15% on D14, but installs from a particular campaign, publisher, or network show a 1% retention rate, it’s clear that there’s something that deserves further investigation.

But Singular research shows that fraudsters have learned to fake retention and post install events/purchases.

For example, Singular uncovered a case of extremely sophisticated SDK spoofing campaign on iOS that fools most fraud prevention solutions in the industry. The fraudsters not only generated seemingly legitimate app installs but they also continued to send post-install events, in essence faking real users’ activity. They have even tried reporting in-app purchases, and while doing so reported revenue receipts for these fake purchases.

Sensor data and user behavioral analysis
Sensor data based solutions take post-install fake user detection one step further. These solutions try to detect abnormal devices or users by looking at non-marketing data points such as device movements (via a smartphone’s accelerometer and/or gyroscope), battery data, and user-screen interaction.


Simple: sensor data for real devices should look different than simulators that don’t move.

The challenge is that this can be faked as well as shown in the huge “We Purchase Apps” scandal revealed in October 2018. In this massive ad fraud campaign the perpetrators bought real apps, studied the usage patterns of their real users, and then created fake users coming from those same apps.

One of the biggest targets of this campaign was none other than Google itself, the company who has probably put the most effort into profiling real user activities and protecting advertisers from fake user emulation.

And more …
There are multiple other methods, each of which has its strengths and weaknesses.

The problem with post-install fraud determination

While post-install methods do an important job of raising the bar against fraud they have some inherent caveats that stop them from being effective fraud prevention tools.

1: Statistical (in)significance
Post-install methods are statistical tools that work by looking at groups of installs and checking if one or more of these groups exhibit anomalous activities. Usually these groups would be installs coming from the same publisher. For example, when looking for new devices it’s unsurprising to see a legitimate user with a new device, as new devices are constantly being sold to consumers.

However, for a publisher driving thousands of installs, seeing 95% of those installs from new devices should be highly suspicious. Fraudsters have figured out that they can’t be so blatant, and so they take action and hide. Some drive their traffic from many different publisher IDs and even networks to keep numbers low; some mix their fraudulent installs with legitimate installs to make the anomaly less apparent.

Utilizing such techniques allows fraudsters to avoid detection by making the anomalies statistically less significant, making it a lot harder to distinguish legitimates traffic from fake traffic and so making it harder to stop the fraudulent activities without incurring high false positives.

2) Post postback friction
As the name suggests, post install methods only come into effect after an install has happened, and might be processed days or weeks after the install. That also means that they are evaluated after an install postback is sent to the media source, which means after conversion and billing notification in CPI campaigns.

The result is that the media source will charge for the now-known-to-be fraudulent conversion … unless a process of reconciliation is done. This process is often manual, messy, and a cause of great friction between ad networks and advertisers.

3) Non-optimized optimization
Ad networks often perform real-time optimizations based on initial success analytics: evidence of conversions such as app installs. Now, however, those optimizations will be skewed by fraudulent activities.

In effect, having been rewarded by fraud, they will now optimize for MORE fraud.

As an example, if publisher A drives more installs than publisher B for some advertisers, the network might prefer to prioritize publisher A over publisher B and send more ads its way. Now imagine publisher A is actually driving fake installs which are not prevented in real time (as happens in post-install detection). The network will funnel more budget to A over B.

Even if those fraudulent installs are detected post-install and reimbursed, the damage has already been done and goals will not be met because of the optimization changes and budget shift.

Singular’s solution: deterministic pre-attribution fraud decisions

Singular strives to have no false positives. We want to clearly identify fraud at a granular level. So Singular’s fraud results apply to actual individual installs, devices, and users, not blanket-level sources or publishers (although we can – and do – block those too).

We also want to find fraud as conversions or installs happen.

Anything less will suffer from the problems outlined above.

When we took time out earlier this year to consider everything, it was clear that we needed a different approach here. We needed something that would work in real time — install-time — and have an extremely low false-positive rate while still maintaining effectiveness.

To meet these requirements, we decided to disregard everything we thought we knew about ad fraud and look for something new. As we reported publicly last week, after an exhaustive search we found what we believed would be a high-quality deterministic fake install detection method that works at install time.

The new method we discovered depends on signals from the install device that allow us to verify that a user exists, they truly installed the app from the store, and they haven’t installed the app an unreasonable number of times (sorry-not-sorry, fraudsters who “install” an app on a phone hundreds or thousands of times).

Of course, once we found this method, we knew we needed to validate that it works as expected at scale, in the real world, on thousands of ad networks. To do so we tested with some of the most successful mobile publishers on the planet. And we validated our results against post-install metrics.

The actual implementation of our new fraud prevention method proved to have a tremendous effect on some of our customers, eliminating their fake install problem. (Find more about it in our report.)

In a later blog post we will share some more details about our findings, but it’s safe to say that we were blown away by the scale of the fraudulent activity we’ve found, and as more and more customers utilize the feature, the numbers are only going to grow.

Interested in learning more? Schedule a demo to go even deeper.

Personalizing your fraud prevention strategy with Singular’s custom fraud rules

Mobile ad fraud is an ever-growing threat to marketers, with fraudsters continuously evolving attack techniques. The exact figures for how much ad fraud costs marketers is highly debated, but eMarketer’s Digital Ad Fraud 2019 states that the estimated impact ranges from $6.5 – $19 billion annually.

To navigate this complex problem and effectively prevent ad fraud, marketers need to have an understanding of the techniques used by fraudsters and employ an always-on fraud prevention strategy that proactively rejects fraud. Otherwise, ad fraud can be detrimental to marketers in two key ways: one is the wasted ad dollars on installs that are either fake or hijacked, and the other is dirty data that is inaccurately skewed towards fraudulent networks instead of high-value networks or organic traffic.

Fraud prevention that adapts and reacts

Singular’s industry-leading Fraud Prevention Suite is built and maintained by a highly-skilled set of scientists that are dedicated to staying one step ahead of ad fraudsters and their attack methods. The Fraud Prevention Suite provides a proactive approach to detecting and combating ad fraud at scale.

Singular’s fraud prevention dashboard

With Singular’s rules-based fraud prevention, marketers can automatically apply deterministic rules in real-time to block installs before they are attributed to a fraudulent ad partner, or flag activity that is suspicious for further investigation. Automatic fraud rejection gives marketers peace of mind from knowing their ad dollars are always protected and eliminates the need to spend time reconciling ad network invoices.

Singular’s Fraud Prevention Suite not only comes pre-packaged with industry-leading Fraud Prevention Rules but also offers marketers the flexibility to define their own rules, what we call Custom Fraud Rules.

Personalizing with Custom Fraud Rules

With Singular’s Custom Fraud Rules, marketers can personalize their fraud prevention strategy to meet their brand or apps unique needs. For example, they may want to have a more aggressive approach to combating fraud if they’re advertising in markets that are more susceptible to ad fraud, or even if they’re testing new networks, each with varying levels of fraud.

Marketers can create Custom Fraud Rules by defining the conditions and rules that trigger automatic rejection of attributions or flagging of suspicious activity. The flexible rule builder allows the marketer to define multiple conditions that need to be set for the rule to trigger on a touchpoint, enabling them to implement a variety of personalized fraud-fighting rules.

Some examples of Custom Fraud Rules marketers have implemented include:

  • Publisher Blacklisting
    Select specific sites to blacklist from your campaigns. While you will also want to confirm your site blacklists directly with your partner, this rule gives you the power to reject traffic that comes from unreliable or underperforming sites.
  • Fingerprinted Traffic Whitelist
    Define and whitelist traffic sources that are trusted enough to send fingerprinted installs. Automatically reject or flag fingerprinted installs from install sources that are less reliable.
  • Block Unauthorized Store Installs
    Most Android apps are only published on the official Google Play Store. Automatically reject Android installs that came from an unauthorized store.

The flexibility of the Fraud Prevention Suite also allows you to add additional fraud checkpoints. These rules take known characteristics of your apps and campaigns, and allow you to quickly filter out traffic that doesn’t meet your standards.

  • Country Mismatch
    Use this rule to automatically reject or flag installs that take place in a country that your campaigns are not targeting.
  • App Version
    As you update your app version, it becomes impossible for new users to click and install deprecated versions. Fraudsters can struggle to update their attack to include the newest app version from the traffic they send, so blocking deprecated app versions can eliminate a source of fraud.
  • Time-to-install
    When the amount of time between an ad click and the resulting install is unusually small, it can be a sign that the install was hijacked by fraudsters. Similarly, when the time between a click and an install is too long, click spamming might be taking place. Set a custom time-to-install threshold based on the size and usage of your app to automatically reject or flag installs with unrealistically short or long install times.

Savvy marketers from top brands are already taking advantage of this personalized approach to fraud protection, which is paying off in significant cost savings.

Recently, a leading e-commerce app in the APAC region implemented a rule to prevent non-approved publishers and sites from sending fingerprinted traffic. After implementing the rule, 16% of the traffic sent from these sources was automatically flagged and rejected.

Another client, a global giant of gaming, set their iOS receipt validation rule on. When testing a new source, they found that 100% of the 11,000 installs were flagged and rejected for fraud. An additional benefit: no make-good negotiation was required … since the fraud prevention did not allow these installs to be attributed!

When fraud strikes, the marketers that leverage Singular’s Fraud Prevention strike back with high-tech fraud detection and prevention. But this is just the beginning. We’re dedicated to further innovating our Fraud Prevention to keep up with the changing face of ad fraud.

Want to see how much you could be saving with next-level fraud prevention?Reach out to your Customer Success Manager for a complimentary fraud audit.

Singular ROI Index 2019: The unmissable advertising ROI webinar

Singular’s ROI Index is the largest study that ranks top ad networks globally based on their ability to deliver ROI for advertisers. We’ve already published the Index and made it available to the world, giving you the ability to find the best advertising ROI available.

But now it’s time to dig deeper.

This webinar goes beyond the Index to talk about not only where individual media sources rank, but also what some of the key differentiators are.

Meet the experts

To do that, we’re going to bring in the experts: Susan Kuo, Brian Sapp, and Christen Luciano. (Yours truly, John Koetsier, VP of Insights at Singular, will moderate.)

Susan and Christen have deep insight into how various ad partners performed in the Index. Brian has an even deeper insight into what mobile marketers look for, and what they need in terms of advertising ROI from ad networks.

Susan Kuo
COO, Head of Business Development
Susan has an extensive background in mobile ad tech, analytics, and gaming. Prior to Singular, Susan held senior leadership roles at Onavo and InMobi. Susan is an active member of the mobile community and serves on the advisory board for several mobile-focused start-ups.

Brian Sapp
VP, User Acquisition Marketing, Jam City
A mobile veteran with previous roles at Tapjoy and Web Games, Brian manages user acquisition for Jam City, which currently has six of the top 100 highest-grossing games across the App Store and Google Play.

Christen Luciano
Director of Partner Development
Christen oversees Singular’s relationships with key partners. Prior to Singular, she was a product marketing manager with Kenshoo and held multiple additional marketing roles. Her focus is collaborating with top marketing platforms to help advertisers grow reach and maximize performance.

We’ll review the 2019 Singular ROI Index, but also talk about fraud, things marketers need to know about their ad campaigns, some of the biggest surprises, and the role SANs (self-attributing networks like Facebook and Google) should play in marketers’ ad campaigns alongside some of the mid-tier players.

Advertising ROI is critical, of course, but it doesn’t happen in a vacuum.

So we’ll also talk about how to find niches of profitable growth, new innovative players, and what to look out for.

One of the things that the 2019 Singular ROI Index makes very clear is that Snap and Twitter have made significant moves recently in terms of the value they offer to advertisers. We’ve seen that in their recent quarterly reports: Snap grew quarterly revenue almost $100 million year over year, and Twitter had record quarterly earnings.

We’ll talk about what we’re seeing in the platforms that is driving increased advertiser adoption, and we’ll talk about everything else the Index reveals about advertising ROI.

Sign up now for the ROI Index webinar.

What online marketers and ad fraud criminals do and don’t have in common

The recent news about the Department of Justice’s takedown of the code-named 3ve and Methbot ad fraud schemes, including the arrest of three individuals and the indictment of five more, is cause for celebration.

A coordinated effort over several years from the FBI, White Ops, Google and many others shut down a hefty chunk of the $19 billion that Juniper Research estimates will be stolen this year by digital ad fraudsters.

Not only did this operation save advertisers millions in useless spending, the criminal indictment could deter smart, creative individuals from getting into the fraud business in the first place. U.S. law enforcement now has the chops to take down these white collar criminals operating in faraway places like Russia, Bulgaria, and perhaps living it up in Malaysia, where Sergey Osyannikov, one of the defendants in this case, was arrested.

Fraud makes life difficult for everyone.

In a recent survey of 1,100 advertisers by Singular, we asked: “What are the impacts of not having good marketing intelligence about your ad campaigns?”

The #1 answer?

Poor quality traffic, mentioned by 57% of advertisers. The #2 answer was high fraud, mentioned by 50% of advertisers. What we don’t know is how much of poor quality traffic is attributable to fraud, but I’m guessing a good chunk of it is.

Reading the official indictment document (pictured above) as well as the White Ops whitepaper and news coverage offers insight into the practices and mindset of these persistent and creative individuals who managed to collect an estimated $29 million from one scheme and $7 million from another.

As someone new to Singular, which offers built-in fraud protection for marketers, and who’s spent the last 6 years covering HR and recruiting topics for Simply Hired, Glassdoor, and Lever, I couldn’t help but look at the human side of how these people operated, and consider what we can learn from them.

Fraudsters are perhaps the most successful growth managers—that is, until they get caught.

Here’s an assessment of what marketers and fraudsters do and don’t have in common.

Similarity #1: Think broadly and creatively

These criminals took a comprehensive approach to create their fraudulent networks, looking at every parameter of cybersecurity requirements in order to build networks that would go undetected.

The malware they created that was installed on 700,000 computers at any given time opened hidden windows on hidden desktops in order to go undetected by users. Their bots simulated mouse moves across on tens of thousands of spoofed domains and sent fake audiences to real domains. They also make sure that the malware was installed on computers in countries that were in demand. In short, they considered everything.

Marketers today have to think broadly about their campaigns: what money is being spent where, which creatives are working and why, and consider the marketplace dynamics at play. They use their creativity to find new sources, adjust campaigns, and relentlessly pursue growth.

Similarity #2: Collaborate and assign clear roles

The investigation revealed the roles and responsibilities of each of the eight men. There were several programmers, and several who ran the business side and controlled the funds. Whether you’re a legitimate marketer or a fraudster, it takes a village of specialists to scale an operation.

From the press release:

“3ve was remarkably sophisticated,” added Tamer Hassan, CTO of White Ops. “It showed every indication of a well-organized engineering operation with best practices in software development. It exhibited reliability, resilience and scale, rivaling many state-of-the-art software architectures.”

Interestingly, the collaboration tools they used were pretty similar to the ones used by marketers: spreadsheets in the cloud. (Fortunately, they will never have the benefit of a marketing intelligence platform like Singular that serves as a single source of truth around business results.)

Similarity #3: When you have a good thing, keep it going

These schemes ran for years, detected only by the investigators.

It was their Candy Crush Saga, a top-grossing app of all time that they kept optimizing—until their time was up. While it’s unfortunate that so many advertiser dollars were spent on fraudulent traffic, the law enforcement long game ensured the networks would be shut down for good and at least some of the fraudsters could be caught.

Twenty organizations, including Google, Microsoft, Amazon and Adobe donated resources to take down the scheme. Consider the ad dollars spent as donations to fighting crime.

Similarity #4: Retaliation will get you fired

ZDNet coverage of the Zhukov arrest says that “Zhukov exposed his operation during a fit of rage after a deal with a customer went wrong, and he turned up all his servers against that customer’s video inventory, generating millions of views, and indirectly catching the eye of advertising networks.”

It can be difficult to hold down a job if you have an anger management problem. But instead of just moving on to the next gig, Zhukov faces a maximum penalty of 20 years in prison.

Difference #1: You can be proud of your profession

These men have friends, families, partners, spouses—all to whom they have to lie about what they do for a living. While it may be difficult to explain your occupation to those who don’t work in the industry, it’s far less pressure than having to blatantly lie.

Not only that, as a legitimate marketer you have a wealth of resources and tools such as Singular to support you, and you don’t have to manage your business in cloud-based spreadsheets.

Difference #2: You can spend your bonuses guilt-free

The 3ve defendants were indicted on two counts of money laundering, one for each scheme. It takes a lot effort to conceal large sums of money across nations.

While you probably don’t get to reap millions for your the work you do, at least you can spend your bonus guilt-free on whatever you want, whether it’s an exotic trip or home renovation.

Difference #3: Your work creates happy users, not ad fraud victims

At the end of the day, it’s nice to know that your work to acquire more customers results in moments of joy, satisfaction, or productivity as they consume your company’s product.

The 3ve defendants left a trail of victims: thousands who work in the online industry, and millions whose computers were affected. As a marketer, it’s gratifying to read this list of victims shown in the indictment:

At Singular, we’re proud to say that by offering ad fraud prevention, we’re doing our part to help fight crime.

If fewer advertisers spend on fraudulent sites, the less motivated individuals like these men will be to waste their talents working in fraud. After all, they just might end up in jail with Aleksandr Zhukov, Yevgeniy Timchenko, and Sergey Ovsyannikov.

Request a demo today to learn how our fraud prevention suite improves ROI by reducing spending on fraud.

Oath & Singular: Fireside chat on adtech, martech, fraud, IoT, and the biggest challenges facing marketers

Marketers are facing more challenges now than ever before: the data explosion, the fraud epidemic, cross-channel and cross-platform resolution, and evolving from marketing art to marketing science.

It’s not easy out there.

That’s precisely why Oath, the new AOL and Yahoo!, has put together a new series of fireside chats featuring solutions to some of marketers’ biggest challenges.

And we were happy to participate.

Oath Ad Platforms Fireside Chat with John Koetsier, Singular from Oath on Vimeo.

Missy Schnurstein, Oath’s Head of Product Marketing and Demand Strategy, hosted the chat, and we spoke about adtech, martech, IoT, and the changing relationship between brands and customers.

That includes emerging rules and standards around advertising and how marketers might access new prospects in the future via mediated structures — perhaps using blockchain — to communicate to people who have explicitly granted them permission.

Check out the blog post here, and the full video is embedded above, or available on Vimeo.

Mobile ad fraud: 6 ways fraudsters win via dirty tricks, nasty scams, illegal tech, and cutting-edge camouflage

Ad fraud is a game where losing can look like winning, our Singular Fraud Index says. That’s why you need the latest intel — and the best fraud protection suite in the attribution industry — to protect you.

And understanding the enemy is the first step in winning the fraud war.

Or at least … not losing it.

At our recent UNIFY conference, IronSource’s Vice President for Growth Yevgeny Peres unpacked the science and data behind how fraudsters win. This was new intel to some of the world’s top digital marketers (not an easy task) and showed attendees how fraud was happening live in their campaigns right from the most innocuous, trustworthy, and high-quality apps.

Now we’re sharing the insights with you.

How fraudsters win: Outsourcing fake clicks to real people

“Assuming you have a phone and you’ve engaged with ads and you have some apps installed, fraudsters have access to your phone: your device ID,” says Peres. “And that device ID … once a fraudster has it, it’s not that complicated to start using it to manipulate attribution.”

Click spamming in operation. Code translated by Singular CEO Gadi Eliashiv.

Here’s how it works.

Peres demonstrated with a mobile app on a phone that he connected to desktop technology to read and display all internet traffic. The app, a household name and top-60 grossing app, is perfectly legitimate and aboveboard. It would look like a quality publisher and a quality traffic source to any advertiser.

But it happens to show banner ads.

And fraudsters have managed to get their banner ads displayed on the app.

One of them is running code in Javascript behind the image. That code contains a long list of click URLs and opens multiple iFrames: mini virtual web browser windows. The URLs are tracking links, potentially from multiple tracking and attribution vendors, but they’re wrapped links that obscure exactly what they are and where they’re going.

IronSource VP of Growth, Yevgeny Peres.

The result: many advertisers, including multiple UNIFY attendees, see potential customer activity on mobile web that turns out to be completely fake.

“This was in-app banner traffic that’s going to be reported by tracking companies as if it were mobile web,” says Peres. “[These were] various websites that were not open on the phone … you would assume you’re buying from these guys when actually it was driven from the app.”

In one fell swoop you have multiple forms of fraud:

  1. Ad stacking: multiple ads stacked where one appears
  2. Click spamming: 50 clicks fired for one banner view
  3. Domain spoofing: clicks are reported as coming from sites that no-one ever visited
  4. Fingerprint manipulation: device fingerprints are faked to look like real devices

“This looks like great quality … but there’s zero intent,” says Peres.

How the fraudsters win: SDK spoofing

“The first thing to understand about SDK spoofing is that it’s much bigger than you think,” says Peres.

SDK spoofing requires some serious technical chops. If fraudsters have access to real device IDs, they could simply engage in click spamming. But why wait for people to install an app or convert in a campaign randomly or organically?

In SDK spoofing, fraudsters employ code in one app to send fake install and conversion signals on behalf of another app: an advertiser’s app.

Fraudsters can vastly multiply their ill-gotten earnings by faking conversion events.

“If I know what the tracking company’s SDK reports on app open, I might as well intercept that, replace the device ID, play around with the other parameters, and send it again,” says Peres. “A couple minutes later, I can orchestrate a beautiful KPI curve … I can [even] inflate organics to make sure this channel [looks like it] has an organic uplift.”

How the fraudsters win: Click spamming

The good guys in adtech have access to hundreds of millions if not billions of device identifiers. The bad news: so do the bad guys.

That’s a problem.

“All we need to do is gain access to a campaign and start running a script and fire a click every morning, randomly,” says Peres, mimicking a fraudster’s thought process. “[You’re] hoping that one of these guys will generate a conversion … that’s probably a $50K income a day, just doing that.”

On an ad exchange, once you gain access to a device ID you can do whatever you want with it, technically speaking.

“Once you have access to it, anyone can report a click,” Peres says. “It’s how the design of our stats-serving ecosystem is … that’s the bad news.”

How the fraudsters win: No incrementality analysis

Fraudulent activity isn’t just something on top of your standard organic marketing results or even just your paid marketing campaigns.

Some fraudulent channels eat organics.

Some fraudulent channels eat other paid channels.

How ad fraud can eat both organic and paid channels.


“It’s very important to understand the difference between channels that are incremental to you and channels that are not,” says Peres. “This is the biggest challenge for a marketer.”

Marketers may perceive fraud as a 20-30% problem, but much of it is not incremental. It’s cannibalistic. That means that marketers absolutely must test each channel for incrementality, ensuring that each channel really does independently drive business results.

How the fraudsters win: Fraud looks so juicy good

Some fraud has excellent camouflage. Here’s one example: check out the average revenue per user (ARPU) for these two campaigns.

Some fraudulent networks report views as clicks.

Campaign 1 and 2 have identical cost per install (CPI) and near-identical impressions, plus near-identical real clicks. But campaign two is a video ad that is either auto-redirecting to the App Store or Google Play after every view.

“When you look at the funnel, the CTR is almost 100%,” Peres says. “This is by the design of their product where they report a click for every completed view … so once the video is over, they have to report a click because they redirect the user to the App Store.”

The ARPU looks great — better than a clean campaign — so it’s very tempting for marketers to keep spending there. Especially if they’re not closely checking the other parameters such as the impossibly-high click-through rate.

This is an example of something that completely breaks the mobile advertising model, says Peres.

“These channels … if they’re manipulating attribution, their media costs are very low,” he says. “Other DSPs are competing with these guys. You have a 1% CTR rate for playing a clean game; these guys on a single impression generate 50 clicks. That’s 5000X stronger. That’s something you cannot outbid no matter which data scientist you hire.”

How the fraudsters win: Marketers don’t monitor key indicators

There are many key indicators that marketers who care about limiting fraud need to pay attention to, says Peres. Here are some of them (watch the full video for the complete list).

Fraud is revealed when you look at the right data.

Good ad fraud prevention enables you to see:

  1. Channel metrics versus attribution metrics (look for discrepancies)
  2. Percentage of clicks without a device/advertising ID (Android should be about 1%; iOS should be about 20%)
  3. Percentage of view-through attribution (VTA) versus click-through attribution (CTA) conversions
  4. Number of clicks per device ID (high is suspicious, shockingly)
  5. Number of views per device ID (again, high is suspicious)
  6. Percentage of clicks without a prior view … in some cases, 65% or more of clicks happen without a view: this is suspicious
  7. Very low eCPM
  8. Short, very regular, very long, or otherwise improbable or unnatural click to install times
  9. Attribution analytics versus iTune Connect and Google Developers Console numbers
  10. Incrementality

That’s not a small number to keep track of, but savvy marketers who don’t want to get burned by fraud will need to stay on top of these key indicators.

Summing up: One thing you must do

Fraudsters are smart, they’re technical, and they’re always working hard to separate you from your hard-earned ad dollars.

They also hide in plain sight, as sub-publishers and lower-tier ad networks or sources of supply.

How fraudsters hide in the adtech ecosystem.

You need a partner who stays on top of ad fraud for you.

“My single advice is … make sure you work with a tracking company that invests a lot on research,” Peres says. “Singular obviously invests a lot on research and has a lot of knowledge there … they update their SDK a lot, the security of their SDK. Make sure you have the latest version of the SDK and keep updating … it’s a must, every time it comes out.”

Our investment in mobile ad fraud prevention protects you from donating to organized crime … and shooting your paid promotion campaigns in the foot.

What to do now: Get the hard numbers on fraud … and the top fraud-free networks.

8 reasons why digital marketers need need need granularity (from experts at Kabam, Yelp, Nexon, Postmates, & N3twork)

Pebbles on a rocky beach are granular. The white sugar that we all hate to love is granular. The stars of the Milky Way that smudge together into a glorious sheet of light are, under closer inspection by a powerful telescope, also granular.

And so is the very best of digital and mobile marketing.


“Granularity sustains profitable scale,” says Singular’s Vice President of Customer Strategy Victor Savath. “Without granularity, you can scale… but it’s hard to monitor quality.”

Granularity is important both cross-channel and within channels, Savath said recently at UNIFY conference, where he interviewed experts from Yelp, Kabam, Postmates, Nexon, and N3twork on the topic. It’s important for creative. Granularity is also important for bids and CPIs. It’s critical to evaluating publishers and sub-publishers. And it’s something that impacts your daily budgets.

But exactly what is granularity?

And what does it achieve for digital marketers?

Granularity in digital marketing can be defined as the ability to dissect big blocky chunks of marketing activity and ad buys to see the smaller building blocks. For example:

  • If your ad campaign is spread over 15 different agencies, you can view each one individually
  • If each agency uses multiple ad networks, you can see how each is performing
  • If each ad network employs different publishers and sub-publishers in your campaign, you can dive into sub-publisher metrics
  • If you’re using varying creatives and forms of targeting, you can see how each performs
  • As users or customers engage, you can see their journey and react personally to their preferences and needs

As you can see in the video from UNIFY, experts from top mobile companies had a lot to say about the concept of granularity. Here are eight things they highlighted:

1. Granularity tells you how to maximize channels

Clearly, seeing which ad network or publisher is providing the best results is a good thing. But it’s sometimes even more important to really understand what’s working within a network or publisher.

“Obviously Facebook is the biggest social channel, but Pinterest, which is often overlooked, is an interesting play,” says Yelp’s Head of Performance, Eyal Grundstein.

The key to unlocking performance for Yelp on Pinterest was experimentation… and granularity.

Initial generic campaigns produced generic results, but when Yelp started targeting “odd things” like nail salons, click-through rates jumped 5X. Another finding: tattoos are huge on Pinterest, because people search for tattoos that they’ll consider. Targeting on tattoos and showing tattoos in the ads boosting conversions 10X.

“You can be granular not only in the targeting but also in the copy,” Grundstein says.

2. Granularity tells you which publishers are performing

Most ad networks fulfill impressions and conversions for their clients by purchasing inventory from publishers or sub-publishers. When this happens, sometimes advertisers lose the ability to optimize for maximum performance because they either lack the capability or are not looking below the top line campaign numbers to the sub-publisher results.

Hint: some will be rock stars; some will be duds.

“We have a two to three times per week process of pruning out the low performers,” says Eric Seufert, Platform at N3twork. “We kill them at the line-item level if they’re not performing.”

That process does vary from week to week, Seufert says, as publishers change. There’s some natural variance between good, acceptable, and bad, so some level of discretion is warranted. Still, the overall learning remains: advertisers need to be able to probe down to sub-publisher levels to really fine-tune performance.

3. Granularity helps you avoid ad fraud

Granularity is table stakes for avoiding fraud, says Grundstein. Impression-level data, for instance, is an absolute must.

It’s also a way to tie the technicalities of adtech to the ground-truth realities of customers, users, and your product. And there’s no better way, says Warren Woodward, Nexon’s Executive Director of User Acquisition, to really see what’s going on.

“Show me this ad in the wild,” Woodward will often ask his ad partners. “It’s amazing how many sources break down when you ask them… where is your traffic? Can you show it to me?”

And, just as source-level data allows you to pinpoint top performers, it also allows you to isolate potential fraud. Especially when you explicitly state your goalposts in the ad insertion order:

“This game that usually has a 90% tutorial completion… if we see a source as over ‘x’ number of installs and [it] deviates from that norm by over 50%… we’re going to consider that incentivized or some other type of fraud,” says Woodward.

4. Granularity helps you avoid bidding against yourself for adspace

Granularity on the publisher level helps us to “strategize and understand where not to overbid or bid against yourself,” says Yelp’s Head of Performance, Eyal Grundstein. “For example, if you’re buying on two different DSPs and they’re both buying on Mopub… they will bid up against each other potentially, especially on a particular placement if there is enough volume or if it is relevant enough.”

In other words, the ad space is complex and busy. And if you’re a significant advertiser, you’re probably using anywhere from ten to over a hundred advertising partners, which means you could potentially have campaign collisions.

There’s only one thing less cool than ad fraud, and that’s bidding against yourself.

5. Granularity helps you customize to different geographies


Country and regional level data is critical when marketing, says Kabam’s Director of User Acquisition, Andy Park.

“How people consume media across geos is different,” Park says, noting that people in China like to like and comment on ads, particularly on Tiktok, the country’s top video platform. “[One] ad got 37,000 likes and 600 comments in two days.”

Creatives come in many different sizes, shapes, and user experiences, Park says. The key is being able to present different creatives to different audiences, and react appropriately depending on which ones work.

This also enables regional targeting, says Postmates’ Director of User Acquisition Patrick Witham.

“We operate city-level targeting,” Witham says, while noting that there are some limitations with ad network data for geotargeting.

Separating campaigns for different geographies can also make overall campaign analytics more challenging, he added, and does put some limits on scale. However, tighter targeting almost always leads to better results, and “specificity drives conversions.”

6. Granularity allows you to “try wild things” and still be successful

Some of the best things you’ll do in marketing are crazy.

At least, at first glance.

“Our approach has been to build tools that allow us to be radically experimental,” says N3twork’s Seufert. “We’re building about 50 videos a week… we deploy them to test and then deploy more universally.”

Some of those videos are going to be incredible. Some are going to be horrible. But by building the engine to enable creativity at scale and fast failure, N3twork is opening itself up to those rare oddball explosions of lightning in a bottle that drive mass conversions.

Nexon’s Woodward agrees.

“Try wild things,” he says. “You want something that’s going to stand out… when you have a completely different experience, it’ll be the biggest winner or a complete loser.”

One example for Nexon was an ad that featured almost no gameplay — an extreme rarity in the mobile game ad world. Instead, it simply showed fans talking about the game. Essentially, it broke every rule… and it was the company’s biggest winner.

“It carried about a quarter of our user acquisition,” says Woodward.

7. Granularity helps you avoid poorly performing genres of publishers

Sometimes you want to avoid one publisher in particular. Sometimes, though, you want to avoid an entire genre of publishers.

That’s exactly the scenario that Kabam’s Park found himself in (watch the video for full details… including precisely what he was trying to avoid.

Some things just don’t work for your company, your brand, your product, or your app. And granularity enables you to avoid them.

8. Granularity helps you test creative versus creative

Every marketer wants to know which ad units are performing. That’s table stakes… and yet also an example of granularity.

Smart marketers also want to know their conversions from different creative types: banner, text, interstitial, video… and playable ad. You just might be surprised at what you find.

For example, playable ads doubled Nexon’s app installs from one particular source, says Executive Director of User Acquisition Warren Woodward.

“Now we’re making as many playables as possible,” Woodward says. “If you’re not games, think about other ways you can make interactive ad units. The rest of us are… you won’t be in the game if you’re not.”

Summing up

Granularity isn’t just a nice-to-have. It’s an essential attribute for marketers who want to scale profitably.

The good thing: it’s easy to get.

Dig deeper into granularity: See how the best growth marketers achieve it with ease.