Fighting Mobile Payment Fraud in 2020

Reading time: Reading time 4 minutes

The key to fighting mobile payment fraud in a continually evolving and complex business environment is prevention. Merchants and issuers across the globe face the challenge of policing a burgeoning plethora of payment methods. Variety is always welcome, but it enables the influx of ultra-sophisticated credit card fraud techniques and puts a strain on detection methods. Companies are well aware of the problem's scale, which is why new technologies to fight fraud get rolled-out almost immediately.

The issue, however, is that cyber criminals always find ways to stay ahead of the curve. The sheer volume of fraudulent mobile transactions is growing and continuing to grow faster in the mobile ecosystem.

According to Security Week, Windows remains the fraudster's favorite operating system with 38% online fraudulent activity, while iOS and Android combine for 51%.

Financial institutions need to find a new, innovative approach to preventing mobile payment fraud and stop these attacks once and for all.

Common Types of Mobile App Fraud

Mobile app install fraud hit marketers for almost $12.6 billion in 2019, a steep increase from $7.8 billion in 2018. That figure is about 26% of the "total global mobile app install ad spend," according to an article from Inc. One of the more frightening aspects of this type of fraud is that the fraudsters are looking to become a collective, with pooled learning and a more "holistic" approach to mobile ad fraud. This newfound sophistication allows them to "branch out" and use techniques to hit the entire marketing funnel - from influencer marketing to ad networks to mobile ads.

There are different types of mobile ad fraud relevant in 2020. The most common are:

Emulators and Bots 

Emulators can install fake apps on emulated fake devices that don't exist to claim advertising credits. Bots are automated robots perfect for performing any repetitive tasks on the internet, such as phony traffic generation, clicks, installs, and views.

Click Injection

Abuses Android's broadcast feature that notifies other apps about an install taking place. During this lull, an installed trojan or malware app sends a fraudulent click that mimics an install and attributes the fraudster.

SDK Spoofing

Criminals hack the communication between the Mobile Measurement Platform (MMP), application stores, and ad networks to simulate installs, genuine clicks, or in-app activity.

Device Farms

An outdated yet straightforward form of mobile fraud where criminals set up a device farm with an extensive collection of cheap mobile devices programmed to either install an app or click on an ad repeatedly.

Click Spamming

Fraudsters claim credit for an organic install. Also considered as a type of attribution fraud, click spamming is most effective in apps that already have plenty of downloads.

E-Wallet and P2P Money Transfer Apps

E-wallet and P2P money transfer apps are actually services that have features that allow users to send or receive money. These services usually only require a phone number, username, or email address, and the transactions are instantaneous. Some services are free, while others charge a small processing fee. New technologies are letting social media platforms such as Facebook Messenger, Skype, and WeChat leverage their massive user base, allowing people to transfer funds to one another.

The most common wallet and peer-to-peer payment services available are PayPal, Google Pay, Apple Pay Cash, Venmo, Zelle, Cash App, and WeChat Pay. Fraudsters absolutely love to use mobile wallets and P2P money transfer apps to scam people because the transactions are instant, hard to track, and nearly irreversible.

How Fraudsters Use Mobile Payment Apps

Criminals like their scams to be fast and challenging for the victims to get their money back, which is why they often trick people into reloading a gift card, wire them cash, or send money using a mobile payment app. According to the FTC, the most common lies the fraudsters use are:

● Telling people they won a prize or sweepstakes and would be needing personal information, banking details, and money to cover taxes and fees.

● Impersonating a close friend or relative and telling the victim that they are either sick or in trouble in another country.

● They pretend to be from the IRS and tell the target they have a case and owe the government money.

● Calling and pretending to be tech support from Microsoft or a partner, informing the target that his or her computer has a problem and asks for money to fix it remotely.

● Attackers pretend to be a romantic interest from the military or another country that needs money to help a sick family member or a ticket to see the target.

Fraudsters send text messages and phishing emails to their targets, asking for money or personal information. These emails and texts have malicious attachments or links to fake websites they control. If you mistakenly download an attachment that installs malware or send your details via email, the cybercriminals can steal your identity. There are proven ways to monitor your identity, such as using an identity monitoring tool that alerts you if your accounts are part of a data breach or if it pops up on the dark web.

Distribution of Malicious Apps

The distribution of malicious apps happens on official application stores such as Google Play and Apple's App Store, as well as third-party app stores. Even app stores as strict and sophisticated as the App Store can inadvertently distribute a malicious app once in a while, primarily when the publisher uses new technology to defeat the safeguards in place. The most significant offender is Google Play, partly due to being the most popular mobile OS in the world, with a 51.8% share as of September 2019.

In the same month, Google's app store also played a role in the spread of Android malware. According to TNW, researchers were able to detect 172 infected apps on the Play Store that already had over 335 million installations. Adware led the infections with 48 apps having an unbelievable 300,600,000 installs, followed by subscription scams (20M) and hidden ads (14.5M).

Major Challenges Facing App Fraud Detection

Fraud follows the money. That's the golden rule all fraudsters follow. As consumers embrace P2P money transfer apps, e-wallets, and other types of mobile payment apps, the criminals are there with them. The threat actors are always trying out new fraud techniques, testing malicious apps, and looking for vulnerabilities in software, hardware, devices, and human behavior. The significant challenges facing app fraud detection are:

● Only a little more than half of all merchants check for fraud.

● App store security teams aren't flagging malicious apps fast enough, or some get past their defenses.

● Merchants aren't paying close attention to the development of new fraud schemes.

● Even if an app is secure and isn't malicious, the user's device might be compromised.

● Issuers are not utilizing the latest security tools and defenses that can help protect consumer data from hackers.

OWASP Best Practices-1

Key Takeaways on Mobile Payment Security Issues

The key to preventing mobile app abuse and payment fraud is to collect, study, examine, and corroborate data. Mobile apps already provide a treasure trove of information. With the combination of technical, historical, and regional trends, merchants and issuers can ensure that they're able to detect and stop fraudulent transactions accurately. The fraud blocking process should not turn down real customers or create false declines to maintain the integrity of the system and keep the consumers happy.

Another takeaway is that consumers must always use a company's official app downloaded from an official store like the App Store or Google Play - not third-party app stores where they need to turn on the phone's permissions to allow installation from unknown sources (Android). Businesses must ensure that their apps don't have any clones or look-a-likes on any app store.


Published on Jul 20, 2020
Daniel William
Written by Daniel William
Daniel William is a Cyber Security Expert. His great passion is to maintain the safety of the organization’s online systems and networks. He knows that both individuals and businesses face the constant challenge of cyber threats. Identifying and preventing these attacks is a priority for Daniel.


Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now