A Quick Guide to SDK Spoofing

Install and event spoofing attacks in mobile marketing have been highlighted as on the rise recently, but it has been the dominant form of mobile ad fraud for almost a decade. Our own research suggests that over 40% of all mobile marketing data is actually spoofed.

In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data to gain an illegitimate advantage.

SDK spoofing — sometimes also referred to as a "replay attack" — is a form of manipulation targeting mobile performance campaigns, where an attacker generates legitimate-looking install events without any real installs ever occurring. No real user downloads the app. No real device runs it. But an advertiser's attribution platform logs an event or install event and everyone along the value chain earns a commission – apart from the advertiser.

What makes spoofing distinct from simpler attack methods like device farms or emulation is that the data used to spoof these install signals is often copied from real devices and real user data. Attackers mimic these users in order to bypass the machine-learning algorithms trained to find patterns of manipulation - and because the spoofed data is authentic (in the sense that it can be corroborated with former interactions of the real device and user in real app engagements) and doesn’t show signs of manipulation, attackers bypass detection altogether.

Attackers collect real device data — through apps they have access to or through legitimate third-party advertising services that provide the needed data through bid requests for example. . With access to genuine device data, the spoofed installs become far more convincing. This is what makes catching this kind of attack so difficult - the device being mimicked is real. The signal path is real. Only the intent is fraudulent.

The Feedback Loop Clouding Measurement

The most destructive part of this scheme is that the quality of traffic generated through spoofing can often appear higher than that of legitimate paid user acquisition. This creates a perverse incentive in which advertisers end up directing more budget toward the very channels defrauding them, because the downstream metrics often appear healthy and suggest growth. That's the deeper problem with spoofing and mobile ad fraud — not just that it steals budget, but that it can do so while actively distorting the decisions app publishers make with the data they think they can trust.

Whereas current MMP-based detection tries to find bots after the fact using probabilistic methods applied to already-corrupted data, KAZIMI's approach is deterministic — the question of whether a signal originated from a real human inside a real app is answered with certainty, making KAZIMI’s solution highly accurate, allowing mobile marketers to detect SDK spoofing and a variety of additional attacks and take action to limit the damage.

That means you can make better decisions to improve the bottom line, including KPIs across the entire marketing and re-engagement value chain: from the first install through to long-term LTV, retention, and re-engagement.