Two very different digital advertising fraud schemes were uncovered last week, both designed specifically to deceive advertisers, diverting legitimate ad budgets from expected authentic user interactions into the pockets of bad actors.
Security researchers from Checkpoint recently released information detailing a new family of Malware called Tekya. Many app-related, malware-driven fraud schemes have been uncovered by various security research firms over the last year, and this approach reinforces that users and advertisers can’t assume apps in the Google Play Store have been thoroughly vetted.
How It Worked
The perpetrators of this scheme created apps that closely resembled legitimate apps, many of them targeted at children (fig 1). Once downloaded, the malware at the core of the scam evaded Google detection and faked user actions to generate clicks.
Figure 1 – Note the similarity of the authentic app (right) with the fake version loaded with Tekya malware (left)
Why PubMatic Was Not Exposed
A direct path to supply is an advertiser’s best defense. These types of apps will never have the most direct supply paths, relying instead on an intricate web of aggregators to reach demand. Of course, most app developers don’t have the resources to strike direct inventory deals with marketers, and reputable developers resell their inventory using well-regarded aggregators of app inventory. It is important that both buyers and app developers thoroughly vet their tech partners to ensure quality standards are met.
PubMatic is proud to have had no exposure to the inventory from the apps associated with this scheme; our focus on allowing only the highest-quality channel partners and ad networks onto our exchange meant that these fraudulent apps never even crossed our quality compliance team’s desk. You can find the list of apps—all which have been pulled from the Google Play Store—below.
Roku CTV Scheme
While app based ad fraud schemes are uncovered frequently, and mobile app security broadly researched, CTV has thus far has been able to avoid such scrutiny. Pixalate recently unveiled research, accompanied by a story in Adweek, detailing a scheme they call Monarch. Named after the company at the center of the scheme, the ad fraud associated with Monarch exploited the attraction of buyers to Roku CTV content and ad inventory (per the Adweek article, Roku sees 59% of all CTV programmatic inventory).
How It Worked
Buyers expecting their ads to appear on channels that mostly featured public domain content (more on that mistake later) instead had their ads playing on Roku channels that featured passive experiences, like virtual aquariums and fireplaces, which effectively have no audience. Moreover, Pixalate notes that their research suggests large device farms ultimately may have been used to display the ads.
Pixalate identifies the business entities involved, which is an unusual step in these types of reports which tend to focus on the forensics. While the details provided in this investigation are intriguing, it’s more important to understand who benefited from this scheme – cui bono. In this case, Barons Media, Monarch Ads and Aragon Creek were entities identified as participating in the scheme (and which happen to be controlled by the same owner).
While exact estimates of how much advertisers lost to this scheme are impossible to ascertain without a full audit and accounting of all advertisers involved, Pixalate cites a potential CPM of $25 for the inventory advertisers were expecting to fill, while Adweek hints at a seven figure loss.
Why PubMatic Was Not Exposed
PubMatic’s Inventory Quality team is charged with reviewing prospective supply partners wanting to resell inventory on the PubMatic platform. The team has reviewed many suppliers claiming the ability to monetize Roku channels, but upon closer review, the content of many of these channels submitted for review consists only of public domain content from 50+ years ago, screensavers, and other content that users would simply not attract the number of users claimed by these suppliers.
Take this Roku channel as an example (figure 2). Our IQ team found it incredulous that a channel featuring content produced in the 1940s, that upon further research was discovered to be in the public domain, would attract any significant number of viewers. Our IQ team regularly rejects suppliers who feature these types of channels as inventory sources, as the team suspected these channels were created solely as a front for ‘traffic laundering’ (e.g. traffic may be human, but could be coming from some other unreputable source) and/or artificial inventory spoofing (e.g. completely fake traffic coming from bots or other non-human sources).
Figure 2 – Public Domain Content Roku Channel
Lesson for Buyers
Even as the economy reels from the impact of the Coronavirus pandemic, fraudsters are not going to take a break from their schemes designed to siphon money from marketers. Moreover, as ad budgets are reduced and belts tightened, I suspect there will be more oversight and scrutiny on how digital ad budgets are spent. Thus, it’s critical that buyers understand where every dollar is allocated and to take special care that the sites/apps/channels they choose to sponsor have legitimate audiences and carry a low risk of being a vector for fraud.
Choose good partners who have a strong reputation for quality, who understand how critical good supply quality is for buyers. Think of the programmatic supply ecosystem like buying an investment property–only by working with skilled experts can the true value of that investment be determined.
List of Tekya Click Apps:
List of Apps that Barons Media/Aragon Creek have been selling: