Effect of IP while dealing with mobile ad fraud

Effect of IP While Dealing with Mobile Ad Fraud
Reading Time: 5 minutes

As the share of mobile advertising boosting rapidly, the fraudulent activity in the platform is continuously growing along with it. There are dozens of fraud types committed on the mobile advertising platform. From here on, I will refer to mobile ad fraud once I state fraud. 

There are many types of fraud, but today I am writing on frauds committed at install level. The chain starts with clicks of users to the ads. It is important to remark that these clicks may not be a real user though. This is a concern about frauds at a click level, and yet I, here, only mention that this kind of fraud is present along with the others, but this topic needs to be written as another post although the solution we propose here, the power of IP and IP based metrics, may also be a reliable source at a click level. Anyways, regardless of whether fraudulent activity is present at a click level fraud or not, let us begin by either assumptions. It all begins with a user clicking on an ad, and the process begins.

An illustration of a “chain” is below,

Note that the illustration of the chain above is created only for the sake of this article, this is possibly not what a chain is. It should not be considered as a broad image of a chain.

The X can be agencies, affiliates, trading desks, etc. There may be dozens of them or even none, and each has its own type of business model and payment policy. To be honest, fraud can be committed at each ring of the chain. It can fall before you from literally anywhere.


There exists anti-fraud solutions by platforms including Interceptd and most of the rings of the chain to the fraudulent traffic on the network, and they have yet to stop them all. This is an unending cycle where the anti-fraud solutions are built for the fraudulent activity as the fraudsters keep increasing their performance to penetrate that particular solution, and the cycle goes on.

The tools that are used in detecting and preventing fraudulent activity are important at this point. The features and the thinking gains more importance when you should consider how a real user ought to behave on such attribution chain. The whole mobile advertising platform is made up of more than one component, there are several components that the traffic passes through. There exists a relationship between the components, but you cannot approach the higher ends and/or the lower ends always as intended so that each component has its own field of view. This can be thought as each component has its own angle of visibility due to lack of full-transparency between the components, this transparency should be never full-transparent though. Nonetheless, the information of the activity can be manipulated or interpreted incorrectly due to the malfunction of some specific service of a component. In terms of a single component, it has a broad inner view of activity, but the outer view is restricted at some point although it depends on the size of the chain and/or the bilateral relations between the components.

The information gathered by all of the chain is enormous, but the useful and possibly less manipulated information have to be separated from the whole pack. However, the rule still applies “any info is better than none”, so you need to be delicate while separating the stuff, you wouldn’t want to waste any useful info.

How IP helps us catch the fraudsters?

IP and device identification metrics are probably the most useful information from the whole pile when taking the concerns mentioned previously into consideration. For detecting fraudulent activity in terms of this frame, IP based metrics must be treated as the prior detection and should be empowered by the device metrics. IP must be treated as a prior since IP is the Achilles’ heel of the fraudsters even though it can also be manipulated or generating misleading results. At this point anything which has direct or indirect effects on IP should be taken into account while detecting the fraudulent activity at a first sight.

Hence, Interceptd uses the IP and IP based metrics along with the features that affect IP metrics in fraud detection at the initial step. Using IP and IP based features have relatively fewer drawbacks in terms of detecting real fraudulent activity. Besides the models, we have a scoring algorithm generating a dynamic look-up table within a time frame. The most important thing while playing with IP is to not forget the fact that IP is dynamic itself, it is dangerous to play with. That is, you cannot rely on IP based metrics for a long time of period since most of the IPs change dynamically. Thus, remark that if you want to implement such a fraud solution you must gain know-how about IP and how it behaves.

Our service that manages detection by IP and IP metrics works on the install level. It is a powerful tool because it does rely on IP and IP based metrics empowered by device metrics, so it can eliminate most of the fraud at install level, it does not need to be concerned whether it is a fraud by SDK spoofing, click injection, device farm, etc. Device information must be enriched as well, and we are currently working on it. It needs time to spend on, but once you implement it, it works like a charm.

Pros & Cons?

We mentioned many times above that IP can be a powerful metric once you know how to play with it. IP is one of the most obvious metrics that reveals the fraudulent activity. It gains importance once fraudsters started to get real data from the real users’ devices, this is mostly done by SDK Spoofing in various ways. Once the fraudsters have taken advantage of the real information, they no longer needed to send fake info even if they access most of them, they cannot access some of the real info.

Inside the pile, you need to detect the fraudulent ones.

We cannot say that IP has been taking care of all frauds. The dynamic nature of IP (most of them) has some drawbacks, and at some point, it is a positive behavior. The main drawback is that you cannot set up a static model that deals with fraudulent activity by IP based metrics, you gotta change your build as the time passes. In other words, you need a dynamic system for performing a process on IP metrics. So do fraudsters. You may have difficulties due to that dynamic IP behavior, but the fraudsters also have to deal with it. And the challenge goes on.. 🙂

Another drawback is that you are limited in terms of time period. You need to build a structure for that kind of anti-fraud system by processing a short time, it should not be like months or years, not even weeks. A week or less would be better. The time depends on the average traffic load you have. It must not be too short, but a reasonable time possibly between 12 hours and a week. Of course, you should consider the system load as well, as the time shrinks the dynamic system(s) will be updated by short periods. You should care about not blowing up the whole infrastructure.


All in all, remark that IP is a sensitive feature, and you should delicately work on it. If you go so dense on it, you will fail; if you don’t care about it at all, you will fail. Balance the structure, and voilà !