Some more specific examples of reverse engineering
1. An example with the “% of new devices” parameter
Some time ago, one of the anti-fraud solutions has introduced a new metric for identifying bots and device farms - “% of new devices”. This metric was applied to show new devices, that weren’t previously identified by this anti-fraud solution among other apps/games. For developers having quite a big base of devices, this metric allowed to evaluate whether they are dealing with bots/device farms in connection to the percentage of new devices. With the standard percentage of 15-20%, any cohort with about 80-90% of new devices would point at the possible presence of fraudulent activity with resetting device parameters and generating new ones. This metric was publicly introduced and just 2 weeks after, forums of app developers and advertisers became full of questions like “Why does my app have the abnormal peaks of organic installs without any post-install activity afterward?”. Nobody knew the exact answer at that time. But one of the versions - it was reverse-engineering of the “% of new devices” metric made by fraudsters. It was enough for them just to download some more apps organically before downloading the target app, and this fraudulent device no longer had been displayed as a "new" and already had a history of app downloads. So this metric has lost its accuracy in fraud identification.
2. An example with modified click spam
Click spam fraudsters have quickly noticed that anti-fraud solutions identify them through an abnormal TTI (Time To Install) distribution by days. A "long tail" with the TTI of 2,3,4 days was clearly pointing at click spammers. So the next step in this game was made by fraudsters: they have started to simply "cut off a long tail", leaving one day installs only. Using various techniques, modified click spam fraudsters try to limit the TTI of their traffic up to 1 day, thereby hoping to be less visible this way.
Modified click spam can also use new ways to "infect" users. For example, through wi-fi access points in public places. In this case, users click on the elements of the UI start page, and all subsequent organic devices automatically get to click-spammers. Some click spam fraudsters can even modify the attribution type, changing it from click to view for less visibility.
3. An example of faking post-install and financial events
Many advertisers often provide publishers (ad networks) with a list of post-install events and its benchmarks, which can be used for further traffic optimization. Such a list may include the following metrics:
- % of paying users;
- retention rate (Day 1 / Day 7);
- % of registration rate;
- % of ROI (Day 1 / Day 7).
On the one hand, for non-fraudulent publishers such metrics are very helpful in the optimization of different ad campaigns. On the other hand, such information would also be of great help for fraudsters that use smart bots and intelligent device farms. And they would be trying to fake exactly these event benchmarks while staying invisible to the advertiser.