This article originally appeared in Digiday on August 9, 2019.
Update: An earlier version of this article stated that click injection is when a fake app is created for malicious purposes, but it is actually when a real, low-quality app is created to trigger fraudulent clicks. The article has been adjusted to reflect this.
A type of ad fraud that has dogged the industry for decades reared its head again this week: click injection.
Facebook announced it is suing two app developers that have used click injection on its platform in order to fraudulently generate ad revenue. Fraud experts have described that this particular case of malicious attack, and Facebook’s response, as unprecedented. Need a refresher on why this is a big deal? Here’s a primer.
OK, what is click injection?
There are tons of varieties of ad fraud, and click injection is a type used by fraudsters on apps specifically. It has evolved from click spamming (when a fraudster attributes clicks to users who haven’t made them), and is when a fraudster creates a low-quality Android app that is purposefully designed to hijack a user’s device and create a legit-appearing click in order to siphon revenue from campaigns that are measured, and paid for, on a cost-per-install basis on mobile devices. As part of the process fraudsters can detect when another app is about to be downloaded, and trigger clicks right before the install completes. The fraudster then gains credit for the installs.
This isn’t new, so why is it coming up now?
Click fraud has been around for a couple of decades, but never before have there been examples of mobile apps designed specifically for a fraud scheme that exploits both Google’s Play Store and Facebook’s Audience Network, until this week. On July 13, Facebook sued two app developers — LionMobi in Hong Kong, and JediMobi in Singapore — that it had discovered were deploying the tactic on its platform to generate fraudulent revenue. “Facebook is signaling to the world that third parties are or have been abusing their platform,” said Augustine Fou, independent anti-fraud consultant.
What were more common former techniques?
Previously, bad actors inserted malicious code into otherwise legitimate apps in order to register false clicks in the background, according to Mike Bittner, associate director of digital security and operations at The Media Trust. Google recently banned an app called CooTek, which featured malicious adware for instance. “Lionmobi’s and Jedimobi’s apps show malicious developers’ deepening knowledge of the various digital ad supply chains and appear to be improving their mastery of infiltrating the walled gardens,” said Bittner.
So who does this hurt?
Marketers mainly. The tactic enables fraudsters to trick advertisers into thinking users have engaged with, or clicked on, their ads. The result is that those advertisers may think those channels are performing well, and so they will continue to spend or even increase their spending amount. So it mucks up the accuracy of marketers’ data, creating a real attribution headache for marketers. But like any ad fraud, it’s not good for anyone in the digital ad supply chain.
Why is it important Facebook has sued these developers?
Platforms including Facebook are under heaps of regulatory scrutiny, for various reasons including data privacy. After the Cambridge Analytica scandal, Facebook will likely be keen to, at least be seen to, keep its nose clean, both to consumers and data protection regulators. “It makes sense that these companies [tech platforms] will want to maintain or restore consumer and business confidence in the security and privacy of their digital ecosystems,” added Bittner. “They want to avoid the fines, the headlines, and any other issues that can hurt consumers and their business.”
Ad fraud has always been likened to a game of whack-a-mole. Is Facebook’s lawsuit likely to make much of a difference?
It could. Much of the digital ad industry infrastructure is predicated on the model where high revenues are generated from high volumes of ads delivered. Some believe that this has been what has allowed fraud to fester for years — that ad tech vendors aren’t typically incentivized to quash ad fraud because they do well from high volumes of ads running through their platforms, whether they’re legitimate or not. But Facebook’s no-tolerance stance to these two app developers this week may make a real difference. “I see the momentum building where mainstream companies are finally starting to sue fraudsters, thus making it a bit harder for fraudsters to get away with it or do fraud without a care in the world,” added Fou.