SDK spoofing is a new form of mobile app fraud quickly gaining momentum whereby fraudsters tap a stranger’s mobile device to install a fake app. The fraud attack usually goes undetected by the end user. However, the advertiser is still being charged.
Now, app measurement company, Adjust, has come forward and launched a solution to tackle SDK spoofing, or replay fraud.
“The connection is real, the device data is real, the device is real. It is bad enough that there is no interaction between the user and the promotion for the advertised app. But, the bigger problem is that there is not even an actual installation,” says Andreas Naumann, Fraud Specialist at Adjust, on the discovery of the SDK spoofing fraud.
To combat SDK spoofing, Adjust has created a signature hash. The feature will be available to all clients regardless of whether they are using the company’s Fraud Prevention Suite. It is becoming available as part of SDK version 4.12.
Data suggests that SDK spoofing is a global issue. Indeed, 80% of all installations are now attributable to SDK spoofing and the fraud type is gaining momentum. Advertisers could be losing 80% of their budgets to a single campaign.
Adjust added that SDK spoofing had not yet reached its limit. Instead, it is likely to grow rapidly if the industry does not take preventative measures.
The way SDK spoofing works is simple. Fraudsters collect real device data through their own apps or app access. Once they have gained access to the device data, fraudsters can simulate installations and launch a fraud event on a user’s device. App developers are then wasting their marketing budgets on app installs which aren’t really happening.
With Adjust’s new signature hash, the company has developed a more dynamic parameter to a measurement URL. This cannot be guessed or stolen and will only be used once.
App developers can renew the hash for different versions of their apps.
The solution is available now as part of Adjust’s SDK version 4.12.