Mobile travel apps rank fourth among the hardest hit by fraudsters, following shopping, gaming and finance, according to a new study by AppsFlyer.

The problem is growing rapidly: AppsFlyer, which tracks mobile apps and offers fraud analysis and protection, found that travel’s rate of fraud in the first quarter of 2018 was up 15% over the rate in fourth quarter 2017, resulting in $65 million in fraud exposure.

As it analyzed a sample of 2,500 apps, it found that new threats are emerging, joining the tried and true methods of fraud. Its report, titled “The State of Mobile Fraud, Q1 2018,” identifies some of the common types of fraud.

Common methods

By February, bots had become the most popular form of attack responsible for more than 30% of fraudulent installs in all industries. The bots are malicious code that run a set program or action. While they can be based on real phones, most are server-based.

Bots aim to send clicks, installs and in-app events for installs that never actually happened.

Bots took the top spot away from “device farms,” locations populated by mobile devices that click on real ads and download real apps. Over the last year, device farmers began regularly resetting their DeviceIDs to avoid detection by hiding behind fresh IP addresses.

“Install hijacking” is a type of fraud in which credit for an install is hijacked by sending false click reports or injecting false referral data.

Fraudsters use “click flooding” to send a “flood” of false click reports from or on behalf of real devices.

When the actual device downloads the app, the sub-publisher is falsely credited with the install.

As bots and malware have become more advanced, some have developed the ability to simulate a limited set of functions that look legitimate.

According to AppsFlyer, the only way to address these advanced techniques is to analyze their behavioral patterns.

Rapid growth

As in other forms of fraud, the perpetrators of mobile fraud are constantly adapting to attempts to block them.

In June 2017, the overall mobile fraud rate was 10%.

It dipped in September due to a drop in overall device farm activity, but the fraudsters redoubled their efforts quickly.

By the end of February, the rate had risen to an all-time high of 12%.

AppsFlyer estimates the cost to advertisers in all sectors at $700 million to $800 million, due to a 15% rise in the rate of app install fraud; a 10% increase in the cost of media, and a 25% rise of non-organic installs.

Among the industries with high exposure, travel apps experience the third highest number of fraudulent installs from bot attacks; the third highest from install hijacking attacks; the fifth highest from device farm attacks, and the third highest from click flood attacks.

Travel apps also score the second highest number of fraudulent installs rejected through behavioral anomalies of advanced simulation techniques by bots and malware.

Best practices

AppsFlyer suggests four steps that companies can take to protect themselves:

1. Keep your software development kits up to date. Running the latest SDK version ensures that you have the latest security updates.

2. Pay attention to your data. Anomalies in your data such as large discrepancies between App Store numbers and your reporting platform or significant changes in conversion rates may be due to fraud.

3. Get a fraud assessment. General trend data, such as those contained in the report, are a good way to start, by quantifying your potential exposure.

4. Stay transparent. Set your fraud terms with each of your providers and media sources before campaigns begin. That will help to avoid the headache of reconciliation negotiations.

The full report can be downloaded here