With mobile ad spend on track to hit $350 billion in 2022, after surpassing $295 in 2021, in-app advertising can be a significant source of revenue. However, those in-app ads also introduce potential risks for app publishers due to security vulnerabilities in mobile app advertising. Real-time bidding and programmatic advertising is susceptible to enabling and allowing criminals (bad actors) to place ads in your app ad slots targeting your users with malware, financial scams, and misinformation campaigns.

The advertising industry has dubbed ads with malicious purposes, malvertising. Let’s face it, bad actors utilize the standard advertising buying flow, the same way brands and agencies do. Malvertising produces illegal revenue streams for the bad actors and harms your mobile app users by exposing them to scams, malware, and fake downloads. Malvertising creates bad user experiences that can lead to uninstalls, or user churn. Those bad experiences range from simply annoying to dangerously invasive, and users view those ads as part of your app or at the very least part of your company’s revenue strategy. Users will hold app publishers responsible for cleaning up messy or annoying ads as well as overall ad safety and ad security. A recent study “An Empirical Study of In-App Advertising Issues Based on Large Scale App Review Analysis”, found that two-thirds of app users consider bad mobile ads annoying and tend to uninstall those apps or score them lower to convey their bad experience.  When your users experience ads that are unsafe, they are more likely to uninstall your app, and leave negative reviews in the app store for thousands of other potential users to see.

Through our research on mobile app ad threats, we specifically designed our solution to detect and block bad mobile ads with security threats including financial cryptocurrency scams, misleading advertising claims (misinformation ads), fake virus protection downloads or fake software updates, and other ad security violations that threaten user safety. Let’s walk through a few examples of security violations that the Confiant In-App Mobile security solution uncovered:

Financial and Criminal Scams

Recently, threat actors have developed and perfected unique digital ad-driven financial scams designed to defraud victims out of large sums of money. These threat actors are clever, technically sophisticated, but most of all ruthless. Scams include fake cryptocurrency investments, crypto-mining schemes, fake healthcare and other mass appeal consumer product scams. They employ tactics like hijacking brand names of companies, products, digitally manipulating images into sensational photos, as well as falsifying celebrity endorsements.

Threat actors employ tactics like hijacking brand names of companies, products, digitally manipulating images into sensational photos, as well as falsifying celebrity endorsements.

Financial and criminal scams are prevalent around the globe, but most countries only offer limited protection to victims, because of weak or non-existent legal regulations on cryptocurrency transactions, limited penalties for the actual criminal scams, as well as scarce or non-existent enforcement resources. Transunion, one of the top three American consumer credit reporting agencies, stated that fraud increased more than 16.5% globally overall in the second quarter of 2021 (compared to the same quarter last year). The UK Finance reported that in the first half of 2021, criminals caused £107.7 million in losses attributed specifically to investment scams (part of APP fraud), up 95% from last year. But financial investment scams target individuals, costing them each £45,000 or more (over $61,000) according to a recent BBC News article. Financial scam ads are often hard for typical ad scanning systems to detect, because the bad actors are clever enough to design their ads so they do not trigger security violations. So they pass under the radar of typical ad scanner systems and wind up on your in-app ad display.

The following threat actor, dubbed “Fizzcore” by Confiant, uses fake celebrity endorsements and ad cloaking to lure victims into their financial scams instead of using malware.

Forced Redirects

Forced redirects are disastrous for in-app user experience, not only because they interrupt users, but because they force the user out of the app entirely. Forced redirects are malicious scripts that divert the user from whatever they are viewing on your app and force them to the malvertiser’s landing page. In a forced redirect, the ad takes over the screen real-estate and is difficult or impossible for users to exit or navigate around without clicking on the ad. Forced redirects have previously been a source of trouble and frustration for desktop web publishers are now becoming more prevalent in apps.

In the following example of a forced redirect, the user is falsely warned that their iPhone is being compromised by an “ad” that blocks their entire screen, and they are prompted to “Remove Viruses”. If they follow the directions or click on any part of the ad the forced redirect takes them out of the app and leads them to a malicious website that may install malware on their device, steal their personal information, or cheat them out of money.

Cloaked Ads

Cloaked ads hide behind legitimate looking ads or pop-ups to deliver their payload or hijack the user. In this example, the VPN warning attempts to get the user to click “Install” to download its malware.

Fake Downloads

This bad mobile ad pops up with a notification that a newer version of their virus protection, software update, or system update app ears to the user. If they agree, they often get a download of malware installed on their phone instead of what they expected.

These ads deliver malicious software instead of the promised virus protection.

What Happens to Scam Victims

Most victims of financial scams have little recourse. Because of limitations in the regulations and laws regarding cryptocurrency, it has become increasingly favored by bad actors who know they can get away with amazing amounts of money. Because in most financial scams, the victims are convinced to voluntarily send their money to the bad actors' fake investment sites, those victims’ legitimate banks and financial institutions have been lax in preventing or investigating the issues as crimes. Even in localities where banks agree to reimburse victims of scams, the victims most often get less than half of their stolen money back. The >UK Finance 2021 Half Year Fraud report stated that banks and finance providers in the first half of 2021 returned only £44.3 million in investment fraud losses to victims (less than half of the victims’ losses).

Bad mobile Ads Contribute to Mobile App Churn & Poor Reviews

When forced redirects, cloaked ads, fake downloads, misinformation ads, and financial scam ads are prevalent users tend to stop engaging with the app, or they uninstall the app and issue complaints on the app store. Poor user ratings on app stores damage the reputation of the app, and those poor reviews are viewed by thousands of potential users every day. Statistica reports that most apps lose a large portion of their users due to user churn (retention rates) in the first 30 days after downloading an app. Those retention rates vary widely between app categories. The top three categories with the highest retention rates (the lowest user churn) are Comics, Shopping-Marketplace, and News apps. All three retain an average of about one-third of their users on day one of download, but by day 30 only the News apps retained 13.3 percent or more of their users. Finance -Traditional Banking apps had similar results, starting at slightly more than 30 percent and retaining 13.4 percent of users by day 30. Statistica also reported that as of August 2021, approximately 38 percent of the apps worldwide generated revenues by including ads in order to monetize their apps.

What’s an App Publisher To Do?

During 2020, the global COVID pandemic influenced huge numbers of users to use mobile applications for their business and personal pursuits. On-average users spend one-third of their waking hours, 4.8 hours daily to be exact, on their top-ten apps. That lucrative market can be spoiled by in-app ads that are loaded with Malvertising by bad actors who actively hijack mobile users. Confiant’s security solution for mobile app publishers identifies and blocks the bad in-app ads before they reach your users, providing improved user experience and less user churn for app publishers. Request your free trial today and see how Confiant can help you protect your user experience.