top of page

Anatomy of Mobile Ad Fraud: SDK Spoofing

Updated: Jul 7, 2022

A majority of internet traffic comes from mobile devices. In fact, with 6.4 billion smartphone users worldwide, internet-based media is consumed by more people than television. As a result, internet advertising on mobile devices is becoming increasingly important to digital marketers. However, at the same time, Mobile ad fraud is on the rise and this threat hangs over advertisers and enterprises. Cybercriminals are focused on devising new ways to defraud and profit from mobile users. And recently, they have ramped up their illegal activities with SDK Spoofing, a new but incredibly dangerous form of mobile ad fraud. Let's take a look at what it is and how to combat it.

What is SDK Spoofing?

Software Development Kit (SDK) spoofing is a relatively new, advanced, and sophisticated kind of mobile ad fraud. It employs a legitimate device ID that figures out how different app SDKs convey install and attribution data. It then uses that information to indicate that an app has been successfully installed on a device when it has not. This resultantly costs advertisers by generating valid-looking installs that are extremely difficult to detect.

SDK is often used to develop an app, a desktop program, or a plug-in. However, because certain SDKs are open source, they can be injected with malicious code to infiltrate a user’s device. Because SDKs are the most common means to create apps, most developers are ignorant of any malware. SDK spoofing is frequently done without the knowledge of the app developers or owner.

Mobile devices are used by fraudsters to install a fake app or infiltrate an existing app without the user's knowledge. Then, they collect data in apps with malicious intent. It is very difficult to tell if an installation is genuine or not, and fraudsters take advantage of this fact. The source is authentic, and the device data generated is authentic, but the installation never took place. Unfortunately, advertisers are wasting money on fake engagements. Even consumers are unaware that their phone has been enslaved and has become an unsuspecting accomplice in fraud.

Identifying SDK spoofing

Mobile Ad Fraud | SDK Spoofing

Let's take a step-by-step look at how SDK spoofing works.

  1. Fraudsters bypass the secure sockets layer (SSL) encryption between the communication of a tracking SDK and its backed servers by performing a man-in-the-middle attack (MITM attack).

  2. The fraudsters create a series of 'test downloads' for the app they want to hijack or infiltrate.

  3. They then figure out which URL calls correspond to which app operations.

  4. Cybercriminals investigate which sections of URLs are static and which are dynamic.

  5. They then put their setup through its paces and experiment with the dynamic elements.

  6. Finally, once a single install has been successfully tracked, fraudsters know they've found out how to produce installs using a URL setup.

  7. They then go through the process again and again, forever.

SDK Spoofing's Impact

Mobile advertising accounts for more than 70% of all internet marketing and fraudsters have plenty of room to be inventive. The malware elements on some apps can simply see adverts on a hidden web page or within the app thanks to SDK spoofing. Resultantly, these type of mobile ad frauds has a clear financial impact.

For Advertisers and Marketers

Under this mobile ad fraud, marketers are simply paying for fake clicks or installs. It appears that an installation occurred as a result of their marketing campaigns, but in reality, that isn't the case.

Moreover, SDK spoofing also affects analytics and ad performance. Marketers believe that their ad budget is well spent, paying to advertise on a mobile app ecosystem and seeing a lot of clicks and conversions. Resultantly, they make poor decisions because of inaccurate results. Advertisers who use retargeting tactics worsen the problem of ad fraud. Re-marketing ads are then targeted at these fraudulent click sources, resulting in advertisers paying out many times for bad clicks.

Mobile device users

The mobile phone user may not suffer monetary losses, but they are affected by this mobile ad fraud. A malicious app is secretly running on their mobile devices, posing a risk to their confidential data. In addition, device users are also at a loss due to data and battery usage.

How to detect (and prevent) such mobile ad fraud

Marketing leaders must learn to spot ad fraud and reduce its impact on the effectiveness of their ad campaigns. There are signs that could help indicate traffic isn't coming from real people when it comes to click and ad fraud. SDK spoofing frequently amplifies the effects of actual user clicks or creates views without the users' knowledge.

  • One of the most prevalent indicators of fake traffic is a large number of clicks, sometimes known as traffic surges. When this is combined with significant bounce rates, it's likely that bot fraud or fraudulent traffic is taking place.

  • Another telltale sign of mobile ad fraud, particularly fake installs, is the time it takes to install (CTIT). The majority of organic app downloads happen within one hour of the initial click, ideally within ten minutes. In reality, just around a quarter of all installs occur within an hour of the first click. This should be a significant warning signal if your installation time is looking exceptionally long.

  • Detecting IP address duplications or suspicious activity from specific IP addresses is also important for detecting fraudulent traffic. Although manually detecting and blocking traffic is possible, it is inefficient and time-consuming. As a result, for dynamic fraud protection, businesses are increasingly turning to automated software solutions.

SDK Spoofing and Mobile Ad Fraud Examples

When we say SDK spoofing is a new form of mobile ad fraud, it is because businesses have very lately recognised the existence of such illicit activities.

DrainerBot is one of the most well-known examples of SDK spoofing. This malware was embedded in an SDK and was used to generate views on video adverts without the users' knowledge. DrainerBot sucked up a lot of data and power by playing videos in the background, occasionally sucking up 10GB of data in a few weeks.

SourMint is another well-known SDK intrusion and mobile ad fraud scenario. SourMint is reported to have been one of the largest SDK spoofing operations on iOS devices, using an SDK dubbed Mintegral. SourMint apps are claimed to have been downloaded billions of times throughout the years, thanks to the three and a half thousand apps produced utilising Mintegral.

Final Thoughts

There are numerous SDKs accessible, and a developer might produce multiple apps for clients using open source SDKs. This puts the developed app at a higher risk of mobile ad fraud. Using an SDK that has a malware component, might result in the release of thousands of malicious apps on the devices without their knowledge. It's critical to realise that ad fraud affects everyone, whether you're an advertiser, marketer, or publisher. SDK spoofing is difficult to detect, but you can tackle the problem and keep your ad budget safe from scammers through awareness, and prevention. Preventative measures and a strong defence are sometimes enough to deter scammers, who may reroute their search for more vulnerable businesses.


Recent Posts

See All


Get Started with Listing of your Bug Bounty Program

  • Black LinkedIn Icon
  • Black Twitter Icon
bottom of page