Update: An earlier version of this article stated that click injection is when a fake app is created for malicious purposes, but it is actually when a real, low-quality app is created to trigger fraudulent clicks. The article has been adjusted to reflect this.
A type of ad fraud that has dogged the industry for decades reared its head again this week: click injection.
Facebook announced it is suing two app developers that have used click injection on its platform in order to fraudulently generate ad revenue. Fraud experts have described that this particular case of malicious attack, and Facebook’s response, as unprecedented. Need a refresher on why this is a big deal? Here’s a primer.
OK, what is click injection?
There are tons of varieties of ad fraud, and click injection is a type used by fraudsters on apps specifically. It has evolved from click spamming (when a fraudster attributes clicks to users who haven’t made them), and is when a fraudster creates a low-quality Android app that is purposefully designed to hijack a user’s device and create a legit-appearing click in order to siphon revenue from campaigns that are measured, and paid for, on a cost-per-install basis on mobile devices. As part of the process fraudsters can detect when another app is about to be downloaded, and trigger clicks right before the install completes. The fraudster then gains credit for the installs.
This isn’t new, so why is it coming up now?
Click fraud has been around for a couple of decades, but never before have there been examples of mobile apps designed specifically for a fraud scheme that exploits both Google’s Play Store and Facebook’s Audience Network, until this week. On July 13, Facebook sued two app developers — LionMobi in Hong Kong, and JediMobi in Singapore — that it had discovered were deploying the tactic on its platform to generate fraudulent revenue. “Facebook is signaling to the world that third parties are or have been abusing their platform,” said Augustine Fou, independent anti-fraud consultant.
What were more common former techniques?
Previously, bad actors inserted malicious code into otherwise legitimate apps in order to register false clicks in the background, according to Mike Bittner, associate director of digital security and operations at The Media Trust. Google recently banned an app called CooTek, which featured malicious adware for instance. “Lionmobi’s and Jedimobi’s apps show malicious developers’ deepening knowledge of the various digital ad supply chains and appear to be improving their mastery of infiltrating the walled gardens,” said Bittner.
So who does this hurt?
Marketers mainly. The tactic enables fraudsters to trick advertisers into thinking users have engaged with, or clicked on, their ads. The result is that those advertisers may think those channels are performing well, and so they will continue to spend or even increase their spending amount. So it mucks up the accuracy of marketers’ data, creating a real attribution headache for marketers. But like any ad fraud, it’s not good for anyone in the digital ad supply chain.
Why is it important Facebook has sued these developers?
Platforms including Facebook are under heaps of regulatory scrutiny, for various reasons including data privacy. After the Cambridge Analytica scandal, Facebook will likely be keen to, at least be seen to, keep its nose clean, both to consumers and data protection regulators. “It makes sense that these companies [tech platforms] will want to maintain or restore consumer and business confidence in the security and privacy of their digital ecosystems,” added Bittner. “They want to avoid the fines, the headlines, and any other issues that can hurt consumers and their business.”
Ad fraud has always been likened to a game of whack-a-mole. Is Facebook’s lawsuit likely to make much of a difference?
It could. Much of the digital ad industry infrastructure is predicated on the model where high revenues are generated from high volumes of ads delivered. Some believe that this has been what has allowed fraud to fester for years — that ad tech vendors aren’t typically incentivized to quash ad fraud because they do well from high volumes of ads running through their platforms, whether they’re legitimate or not. But Facebook’s no-tolerance stance to these two app developers this week may make a real difference. “I see the momentum building where mainstream companies are finally starting to sue fraudsters, thus making it a bit harder for fraudsters to get away with it or do fraud without a care in the world,” added Fou.
How agencies adapt as bots evolve
Social media bots may represent just a sliver of an app's total users, but it turns out they may be generating more content than we were previously aware. The challenge is separating the good ones from the bad.
Publishers feel the crunch of cookieless browsers like Apple’s Safari
Bid enrichment provides publishers the means of sprucing up their cookieless impressions to improve their value in advertisers’ eyes.
Why Hearst is building a commerce marketplace
Publisher commerce marketplaces aren't always successful, but Hearst's Sheel Shah hopes his company's new marketplace will capitalize on the natural evolution of its readers' online shopping habits.
Sponsored<strong>How marketers are responding to shoppers’ wants this holiday season</strong>
Matthew Tilley, executive director, marketing, Vericast With the holidays right around the corner, the economy may force some consumers to adjust their plans and stretch their dollars even further. While some shoppers may rein in their spending, others will still go all out despite a cloudy economic outlook. Given the current economic climate, consumers are […]
How The Independent is getting brands on board to advertise against breaking news
Advertisers are skittish about breaking news, but The Independent's Blair Tapper is trying to humanize the programmatic funnel to keep them spending during a tumultuous news cycle.
‘Death by a thousand paper cuts’: Publishers fret over alternative ID overload hurting site performance
Publishers lack the data to know which IDs they can afford not to support and are worried a surplus of IDs can slow page-load speeds and lower sites' search rankings.