App install and transaction fraud are becoming too large to ignore. Hundreds of thousands of apps exist, across nearly every mobile system, for practically any type of digital interaction and content consumption. Fraud can happen at any stage, from clicks to installs to gameplay.  

In-app fraud is more difficult to detect than web fraud since developers can sneak in functionality that is more difficult to inspect. In addition, as long as the user experience is satisfactory and apps aren’t draining batteries, fraudsters can continue faking downloads, app usage and opening apps without anyone knowing the difference.

Here are seven things about in-app fraud that can help brands protect their ad budgets.

1. All devices are impacted

Although devices that are not jailbroken have a lower chance of being hacked, they are still vulnerable. For example, if an iPhone 6 has Siri enabled, the Gambino glitch can provide a “backdoor” into the phone. More than 86% of Apple iPhones in the world with versions prior to iOS 9.3.5 are vulnerable to a security flaw that allows a hacker to completely take over the device with just a text message.

There are steps you can take to ensure you are protected. These include updating your phone’s firmware to the latest version, deleting text messages from an unknown sender, keeping the device in ‘lock’ mode when not in use and only downloading apps from a trusted source.

2. Illegitimate apps appear in legitimate stores

Sizmek found dozens of blacklisted developers’ apps on both Google Play and the App Store. The New York Times recently reported a deluge of fake apps appearing in legitimate app stores right before Christmas.

They can be relatively harmless — essentially junk apps that served up annoying pop-up ads. However, there are potential risks to using a fake app; for example, inputting your credit card information exposes customers to potential fraud. Also, some fake apps contain malware that can steal personal information or even lock the phone until the user pays a ransom.

3. Apps can fake their popularity

Computer-generated qualitative reviews are posted giving fraudulent apps a higher probability of being distributed. Typically the fake reviews are posted gradually over time so that rankings won’t rise too quickly to set off a red flag. There are steps you can take to spot these fake reviews. Be careful of the phrasing being used, it tends to be the same style and wording and in most cases the text is even identical. Users can also look through reviews and can spot apps that are all using the same services to acquire app reviews and have the same reviewers.

4. Fraudulent apps are often polite

They operate when connected to electricity and WiFi and when the screen is off. By not being intrusive, or bothersome, fraudulent ads can continue working without interruption. This provides a way to continually serve mobile ads, ads mind you, that aren’t even being seen.

The developers of such apps are very tricky, often purporting to be a similar version of an existing online store, for example, a recent case of the fraudulent Overstock Inc app mimicking the existing deals app. These ‘me-too’ apps lure consumers in and are a cause for confusion as to which app is actually genuine.

5. Every stage is faked

Fraudulent ad bots can also fake movements within a game such as opening an app, clicking and moving around a card in Solitaire to meet a specific KPI that results in charges to an advertiser.

Chat bots are now being used in contact centres to have a conversation with customers, simulating gameplay is far less sophisticated. They even make sure they don’t win too quickly to avoid suspicion. Since this activity closely resembles genuine human actions, the bots are harder to detect by anti-fraud systems that look at behaviour to determine whether impressions came from humans or not.

6. Fraudsters bypass protection systems

KPIs used to verify ads will increase from downloading a game app to opening the app, to playing and then engaging for a specified period of time. The difficulty is that just as quickly as marketers build a higher wall to protect themselves, fraudsters will continue to climb over them and in the long term, it’s not an effective means of protection.

One way for advertisers to ensure that ad traffic is valid is to detect and weed out bot-generated traffic before making a final call on what percentage of the traffic is viewable. By combining fraud detection with viewability they can be more certain that ads are legitimate and fully rendered and within viewing range on screens of mobile devices.

7. Ads masquerading as other apps

Another form of fraud is having advertisers pay for ad impressions that don’t really appear on the premium app they expected and paid for. For example, a flashlight app can claim there are views over an extended period of time. But when the app is opened, users aren’t even looking at the screen, and marketers would have no idea that they are paying for ads that the viewer never saw.

Another downside to these types of apps is that when a user opens the flashlight app, a web page will open stating the device is infected with malware and the user needs to download an anti-malware app. In worst cases, the ad will trick users into actually downloading malware on the device.

There is a lot of cleaning up to do when it comes to in-app ads. If something looks too good to be true, it probably is. You have to look for signs that don’t add up and research further. It’s not always about technical tools; it’s about being aware and giving hints to teams where there might be a problem. Combining data with common sense can be the best way to protect marketing budgets and keep in-app fraud at bay.