A killer business idea might be a mobile app that can generate lots of downloads and money, right? That seems to be a clear path to success for young entrepreneurs or someone who’s eager to start his own business.
If you talk to Abdullah, you’ll probably rethink your approach a bit and start evaluating its implications and see the whole picture.
Abdullah Joseph is a Security Specialist at Adjust, a mobile analytics company, and he is part of its Fraud team. He will be on the DefCamp stage this year and will show the audience how a popular app with over 10 million downloads can steal mobile traffic.
If this caught your attention, then you’ll certainly enjoy this interview with Abdullah as well.
In his new role as a Security Specialist, Abdullah has the opportunity to research current and future ad fraud techniques and try to find an antidote for them.
That’s why we believe he can help us understand how frequent ad fraud cases today are and what their average magnitude and impact are.
Mobile development companies and publishers spend quite a bit of their budget on advertising and marketing. According to Business Insider, if the rate of fraud continues, Ad Fraud will cost advertisers $50 billion dollars by 2025. One can see similar numbers repeated in different reports.
By our own measurements, we’ve seen outliers of up to 90% of budgets stolen. Adjust’s Fraud Prevention Suite rejects attribution for, on average, 800,000 installs or roughly $1.8 million in advertising cost per day. You develop an app, pay a lot of money to have it known and you get around 10% for what you paid for. It’s a horrible deal.
We loved Abdullah’s straightforward answer and how he puts things into perspective on this topic. And that’s an example to follow by those who work in the mobile advertising world. A little bit of realism can be like a fresh breath of air, right?
When we asked him about the most common types of ad fraud that occur in today’s mobile advertising, we felt like one of those moments in school when you hear “Today we’re gonna learn about SDK Spoofing and Click Injections”. We also kept our eyes on the prize because these are “two most prominent attacks we see most often and believe they hurt the largest number of clients.”
Ready to find out more? Let’s dive right into it.
First, Abdullah shares more details about the company he’s working for at the moment, which is “an Attribution Provider or AP for short”.
“To make use of an AP, advertisers (app developers that want to advertise their product and measure the success of their campaigns) need to install a library in their app which would communicate the app’s install attribution data to the AP servers.
1. SDK Spoofing occurs when a malicious agent masquerades as the user’s device, which would allow them to inject fake attribution data in the AP servers as well as the app developer’s servers.
In other words, SDK Spoofing happens when a malicious actor generates legitimate-looking installs or other tracked events without any real installs or events aimed at stealing the advertiser’s user acquisition budget.
SDK Spoofing is very much a prominent danger, but it requires quite a bit of someone who’s tinkering and reversing an app, an ad campaign in order to extract the relevant information the attacker would need to spoof the communication.
2. Click Injection, on the other hand, aims to claim attribution of all installs occurring on the device it takes over.
It works as follows: A malicious agent would create and publish an app. Besides the app’s intended function, it would also serve as a ‘listener’ for user downloads and run in the background. As soon as the user installs a new app, the ‘listener’ app would execute a few targeted ad-clicks in order to get cost-per-install (CPI) payouts. This works regardless of whether the user installed the app organically or by following an ad.”
Are you excited about the new terms you’ve learned today? We are too :-). Abdullah has a knack for explaining them in plain terms, so non-infosec Internet users can also understand too.
Moving on to another aspect of the fast-paced world of advertising, we were curious to find out his thoughts on the main security challenges related to securing ad tech and what is currently being done to overcome them.
Once again, Abdullah gives us a practical and useful answer:
I believe one of the main problems is authentication and verification: AP servers receive an install. It says it originated from device XYZ at a specific time. It also carries all the necessary flags and data that makes it look like a legitimate install, however, it could be completely faked from a bot or an emulator with no real user behind it. Maintaining a list of vetted device identifiers is challenging since the user can generate new ones quite easily. This makes it very important for APs to come up with cryptographically-secure solutions in order to verify the communication and authenticity of the install.
He mentions AP a couple of times during the interview that we had to know how he sees his role as an attribution provider in the digital marketing world.
“Our role is to be the point of truth, in measurement and attribution, therefore we need to make sure that the data we process and distribute is as close to reality as possible.“
As an attribution provider, clients rely on us to deliver authentic results in real time with a high degree of accuracy. If we are not verifying attribution data properly, this is a big problem.
It’s also our role to teach clients about proper security measures and how they can check their campaign goal against their statistical data in order to spot subpar supply sources.
To be more specific, Abdullah turns to a practical example:
One can draw a good comparison between mobile ad fraud and web ad fraud. Click Injection does indeed look like the old scam that browser toolbar spyware used to do a long time ago. There were many good measures that browsers and merchants applied in terms of security, but the best one, in my opinion, was proper user education.
If the users understood what are they pressing “Yes” to, much of the attackers’ work would be rendered null and void. Google is doing a terrific job in showing very clear and concise “App Permissions” when installing a new app. Unfortunately, very few users actually read them.
Clearly, when it comes to installing a new app, few of us actually read the “apps permissions” and understand the security risks associated with accepting them.
It’s worth to remember that app marketing is booming and ad fraud in the mobile app marketing is probably evolving at the same pace. We wanted to see how Abdullah perceives this evolution as a phenomenon and if it will be on the list of priorities for decision makers anytime soon.
The mentioned figures are quite rampant. A lot of malicious actors are benefiting from keeping the status quo as this: have the app marketers spend as much of their budget as possible on faked installs that have no user engagement, which leads the marketers to spend even more money and make less intelligent decisions.
I believe some decision makers will not pay too much attention to this and put their trust and money willingly in the wrong hands. However, many marketers will see that the numbers are climbing to nightmarish figures.
It then becomes the job of an AP to be the honest broker that show them where their money has gone and which supplier gave them false promises.
Did we mention how much we like Abdullah’s frank and pragmatic answers?
This is a perspective that’s wise to consider by decision makers and recommendations worth applying if they don’t want to fall prey to malicious actors.
Fraud attempts in the ad tech industry are challenging for infosec specialists too. Their challenge is to find solutions in a field where algorithms and automation are the rules of thumb.
I think Apple and Google, the two biggest mobile players, are well aware of the issue and they are working very diligently to secure the communication between the client and the verifiers.
I feel it’s important to note that the mobile ad industry is very hungry for a proper collaboration, commentary and experience exchange from the security folks in the industry since that would raise the bar quite high for attackers to launch such attacks.
If you have more questions for Abdullah after reading this interview, you should be at DefCamp#9 on November 8-9!
We feel like DefCamp is just around the corner (only three weeks left) and we couldn’t be more excited about it!
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.