What is SDK Spoofing?

SDK spoofing is the creation of legitimate-looking installs on real devices without the presence of any actual installs.

Fraud analysis

  • SDK spoofing is harder to detect than fake installs generated by emulation or install farms. The installs appears to be legitimate; they may account for up to 80% of your installs on any given campaign.
  • Fraudsters collect real device data by using their own apps or leveraging any app they can gain control over; this can happen via popular apps that are not at all dangerous (for example, a battery saver or flashlight tool).
  • SDK spoofing became a significant problem for mobile advertisers in 2017, as fraud schemes of this type have become more sophisticated and have moved from easily spotted attempts indicating a low understanding of URL structures to a more sophisticated use of device-based parameters.

How does this exploit happen?

Fraudsters utilize a real device without the device’s user actually installing an app in order to create installs that look real (because they are real) and thereby consume an advertiser’s budget. The devices used in this scheme are real and therefore active and spread out. To commit this type of fraud, fraudsters must:

  • Break open the SSL encryption between the communication of a tracking SDK and its backend servers by performing a ‘man-in-the-middle attack’.
  • Generate a series of test installs for the app they want to defraud.
  • Learn which URL calls represent specific actions within the app.
  • Research which parts of the URLs are static and which are dynamic.
  • Test their setup and experiment with the dynamic parts.
  • Once a single install is successfully tracked, the fraudsters will have figured out a URL setup that allows them to create installs out of thin air.
  • Repeat indefinitely.


Reference: “Adjust,” Retrieved – 23 April 2018