Ads on mobile apps generate more than $8 billion in annual revenue for app developers. With so much money at stake, various ways to game the system have arisen. One fraudulent method is to write malicious code to generate false clicks (see “A Web Scam That Makes $500,000 a Month”). A more insidious approach is to simply make it easy for users to hit ads through “placement fraud.” Developers can make ads too small to stand out, too close to a game button, or even invisible.
With millions of apps for sale, it’s infeasible for humans to do a visual inspection. That’s one reason why most research attention has been focused on the problem of click fraud, in which automated programs called bots click ads.
Microsoft’s new tool systematically reviews apps in an app store, launches an app in an emulator, and then interacts with that app and attempts to go through as much of it as it can. If the monkey encounters a button, it clicks on it. If it encounters a text box, it tries to continue by determining what is being sought and entering something, such as a zip code. “The goal of the monkey is to go to as many pages in the app as possible,” says Suman Nath, a senior researcher at Microsoft.
One of the sneaky gambits Microsoft’s monkey rooted out was inside an app for playing mah-jongg, the Chinese tile game. A vertical advertising bar on the right side of the screen was filled with tiles that looked like the tiles used in the game itself. “The user will believe this is an ad-free app,” Nath says.
Xuxian Jiang, a computer scientist at North Carolina State University and an expert in mobile security, says the work was novel. Even though it can’t detect whether the bad ad placement was intentional, “it is a good start,” he says.