Blog

Singular integrates Google Play referrer API: A major step forward in the fight against mobile ad fraud

By John Koetsier November 22, 2017

Singular is excited to announce our integration of the new Google Play Referrer API, a new way to securely retrieve install data from the Google Play Store that will dramatically weaken fraudsters’ ability to steal credit for app installs.

The Google Play Referrer API, which is now fully integrated into the Singular platform, will allow mobile measurement providers to effectively eliminate click injection fraud as a threat to mobile marketing budgets. Singular has been working closely with Google on the API along with a select team of mobile measurement partners.

As Singular’s landmark study on mobile ad fraud recently revealed, click injection attacks account for at least 35% of prevented ad fraud each month, making click injection the single largest threat to mobile advertisers today.

In click injection schemes, fraudsters create malicious apps that are legitimately downloaded by a user but, unbeknownst to the user, monitor the user’s device for app installs. Upon detecting an install, fraudsters steal credit from paid and organic sources in multiple ways:

  1. They send fake clicks that get recorded as the last click, thereby earning credit for the install.
  2. More sophisticated fraudsters also leverage Android’s internal messaging system to send their fake click’s Referrer to the app. Because attribution systems prioritize referrer messages over other touch points, this is a particularly effective way for fraudsters to steal credit for the install.

With the Google Play Referrer API, Singular now protects against both of these attacks with secure Referrer and Timestamp data made available in the new API.   

Referrer Verification

Referrer data provides a unique and versatile mechanism to deal with click injection and click spamming attacks, as it enables attribution providers to know, upon install, which click led to the store session in which the user installed the app.

An investigation by Singular’s Fraud Research Team also uncovered an attack named Referrer Injection, which leverages a security hole in the old implementation of this mechanism. Google’s new API addresses this issue and takes the industry another step forward in the fight against advertising fraud.

Referrer injection

A secure referrer allows Singular to generate a unique referrer for every click in real time while redirecting to the Play Store. The new API also provides a more robust way for Singular to access the referrer information ensuring better coverage and less attributions with no referrer information.

New Timestamps in the Google Play Referrer API

But not all clicks contain referrer data. In the case of organic traffic, or users who land directly in the Play Store, attribution providers don’t receive an ad click and therefore receive no Referrer data to verify.

In these cases attribution providers may lean on measuring the time between an ad click and an install to prevent the fraudulent activity. This method, often called Time to Install (or TTI in short), has proven problematic in the past as it’s hard to decide on the correct thresholds and balance between blocking click injection and accidentally blocking legitimate clicks.

Here, too, the Google Play Referrer API has made such prevention methods dramatically more effective by providing timestamps for different stages in the process, enabling these methods to become much more accurate and deterministic.

Two new timestamps in Google’s new API allow attribution systems to now see when:

  1. A user opens the Google Play Store; and
  2. When a user clicks install in the Play Store.

Here’s an example of the timestamps currently received by Singular following our integration with the Referrer API, with the new timestamps in bold:

  1. User clicks an ad [10:15:01]
  2. Google Play Store opens [10:15:02]
  3. User clicks install in the Play Store [10:15:05]
  4. User opens the app for the first time [10:15:37]

Injected clicks will arrive after Timestamp #3, when the malicious app receives a notification that an install has begun on the user’s device and starts sending fake clicks. Once the user opens the app for the first time the attribution provider would receive Timestamp #2 and all clicks that occurred after that time will be rejected. In such cases, fraudsters have essentially lost their window to inject clicks to steal organic traffic.

We applaud the Google Play Referrer API and Google’s commitment to equip advertisers and their attribution providers with the information they need to enhance mobile ad fraud prevention.

For an in-depth look at the industry’s most effective fraud prevention methods and the Ad Networks driving the lowest rates of ad fraud, download the Singular Fraud Index, the only study to analyze mobile ad fraud data from multiple ad fraud prevention solutions, revealing a first of its kind view of the mobile fraud landscape.

Download The Singular Fraud Index to see The Industry’s Most Active Fraud Prevention Methods & The 20 Most Secure Mobile Ad Networks

Stay up to date on the latest happenings in digital marketing

Simply send us your email and you’re in! We promise not to spam you.