Invalid traffic from fake devices

2019-09-11

ImpScore team

Today we are publishing the next investigation of a huge amount of invalid impressions on fake devices which are sold as Mobfox traffic. In fact it is not related to Mobfox of course.

We have detected a number of similar impressions comming from many sources and they were detected as invalid by multiple signs on our side. We can’t reveal all of them but there are several ones available to everyone who is buying this traffic.

Referrers

The first sign is a referrer (an URL of a webpage where the impression was rendered). Those impressions have http://mobfox.com as a referrer. It is impossible because Mobfox does not use this domain for rendering ads.

We have an official confiramation from a Mobfox reprentative:

“We confirm that MobFox does not use the URL http://mobfox.com for rendering banners.”

Mark RatchinMobfox US LLC

So, referrers are faked on device side, and it can’t be done inside a banner, there should be much deeper contol over the device.

Devices

Many devices have operating system versions which can not be installed on the specific devices. Here are only several examples of User-Agent’s:

Mozilla/5.0 (Linux; Android 5.1.1; SM-N950U1 Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36

The device with the code SM-N950U1 is Samsung Galaxy Note 8. According to this User-Agent it has Android 5.1.1 installed, but according to Samsung website it should have 7.1.1 or higher:

We detect same devices having Android 6 on this traffic as well.

Mozilla/5.0 (Linux; Android 5.1.1; SM-G960U Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/64.0.3282.137 Mobile Safari/537.36

We have a similar situation here, the device with the code SM-G960U is Samsung Galaxy S9 and according to this User Agent it has Android 5.1.1 installed while according to Samsung website it was shipped with Android 8.0:

We also track this devices with Android 6 and 7.

Mozilla/5.0 (Linux; Android 9; SM-J727P Build/M1AJQ; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.158 Mobile Safari/537.36

In this case we have a device Galaxy J7 Perx with Android 9 installed. This device was shipped with Android 7.0 and the latest available version is 8.1, we was unable to find even unofficial build of Android 9 for this device but most of Galaxy J7 Perx where we tracked impressions had the latest android.

Mozilla/5.0 (Linux; Android 6.0; SM-J727P Build/M1AJQ; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/62.0.3202.84 Mobile Safari/537.36
Mozilla/5.0 (Linux; Android 5.0; SM-J727P Build/M1AJQ; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/67.0.3396.87 Mobile Safari/537.36

The same device with Android 6.0 and 5.0 while as we mentioned before it has Android 7.0 preinstalled.

Obviously the devices are fake also. There are many additional signs but these ones are available for self check.

Finding the source

Next we have ivestigated the code which rendered the advertisement:

<head></head><body style="margin:0;padding:0;"><script>
window.__cads__ = {
    host: "platform.sickads.com",
    reqpath: "/api/v1/ep/req",
    eventpath: "/api/v1/ep/event",
    r: {
        "plc": "enntry1-49b64a593ec3491d86314e79b20cc5e3",
        "app_bundle": "com.balloonisland.ultimatejewel",
        "app_name": "Ultimate Jewel",
        "app_version": "1.48",
        "app_url":"https://play.google.com/store/apps/details?id=com.balloonisland.ultimatejewel&hl=en&gl=us",
        "adid":"7ca25420-f602-49e6-9e3c-86227afd9c9b",
        "format": "Banner_320x50"
    }
};
</script>
<div style="display:inline-block;width:320;height:50">
    <script type="text/javascript" src="https://platform.sickads.com/static/js/swirl_0_1_8-develop.js"></script>
<iframe src="about:blank" width="320" height="50" scrolling="no" marginheight="0" marginwidth="0" style="border: 0px;"></iframe></div>  </body>

We see that the script is loaded from platform.sickads.com which points to the IP address 5.9.59.53, where one more domain is hosted: coilads.com. According to the information published on the website it belongs to Arena Digital UG located in Germany. May be you have never heard of them but we see a lot of their traffic on the market at this moment.

Stay tuned by following us on LinkedIn. Please share this article if you like it with the buttons bellow, thanks in advance!

–

ImpScore team