Embed Size (px)
Citation preview
Seminar on“The Art and Craft of Fraudulent App Promotion in Google Play”
Presented by Emily Zou
Rahman, Mizanur, Nestor Hernandez, Ruben Recabarren, Syed Ishtiaque Ahmed, and Bogdan Carbunar
Introduction ● Increasing amount of fraudulent behaviour on popular sites used to access news, social media and peer opinion sites
● This paper focuses on fake review and ratings on the Google Play store
Existing Work and Motivation
● Already substantial amount of existing work on fraud detection. These have revealed many insights into how to prevent and detect fraud
● Gap in existing research. Few findings have been validated by fraudsters.● This paper fills the gap. Interviews with ASO workers active in producing fake reviews on Google
Play● Goals of this paper:
○ Analyse the organisation of ASO workers○ Find weaknesses in their workflow○ Find out how they avoid detection○ Find any weaknesses in Google Play itself
Google Play and Fake Reviews
● Five star rating system● The rating and reviews affect the app store
optimisation (ASO) of the app● Higher rated and reviewed apps will be ranked
higher on the search list
https://www.rankmyapp.com/technology/everything-you-need-to-know-about-the-new-google-play-store/
https://www.makeuseof.com/tag/shouldnt-trust-app-ratings-google-play/
● Google Play is the app store for devices running on Android
Paper Methodology
● 57 participants in total, all ASO workers● Recruited from Fiverr, Upwork and Facebook groups
● 39 participated in quantitative study. Authors accessed their google accounts and collected numeric data on reviews they posted
● 18 participated in qualitative interview with over 100 questions
● Findings from the 2 studies combined and summarised into 14 topic points
Findings - Team, Location, Organisation
● Most work in a team, 13 worked in teams of more than 10 people● About half work remotely with their team and half work together● Most organisations have a hierarchy. Subteams for different things, managers, review
poster, account creators
Findings - Hardware Devices
● Half post from physical devices, 2 from virtual emulators and rest from the online google play site
https://www.androidpit.com/google-play-not-working
https://digitaltrap.net/the-best-android-emulator-for-windows-10/
● Owns up to 1000 devices● Mostly low-end devices
Findings - Techniques and Evasion
● All participants are aware of their reviews being detected and deleted. From their experience reasons for review deletion include:
○ using same device to write multiple reviews on app○ Improper VPN (Posting reviews while using a VPN)○ Extended account use (Posting many reviews in a short period of time)
● Upvote reviews written by coworkers, downvote negative reviews● Singleton accounts
○ Create account for one review (google never deletes these because there is not enough history on the account to be detected for fraud)
● App installation and use○ Wait a while between installation and review. Open the app a few times
Findings - Reviews
● Some developers provide workers with the review content to post● Some have a bank of reviews they can use● Quantitative study shows most reviews are short 63% < 10 words (short generic reviews may
be preferable because they are less noticeable to google’s fraud detection)
“Good”“nice”
“Love it”
“Like it” “Nice app”“Great app”
“Excellent”
Solutions
A list vulnerability points laid out by the authors how we can exploit them
http://www.indfin.com/financial-planning-for-business-owners/solution-puzzle-piece/
Solutions
● Proactive fraud monitoring○ Infiltrate Whatsapp and Facebook groups that recruit new ASO workers for fraudulent
reviews
● Device fingerprinting○ Can see device models and their popularity in different countries○ Can be used to detect fraudulent reviews, but ASO workers can use to blend in
https://en.wikipedia.org/wiki/WhatsApp https://apps.apple.com/us/app/facebook/id284882215
Solutions
● 1 to 1 review to device○ Currently can review an app once from each google account on the device○ Enforce 1 review per device for 1 app
● Organic fraud detection○ Use account activity levels to differentiate inorganic accounts
● Monitor review feedback○ Should only be able to upvote/downvote apps that are installed
Solutions
● Verify app install and retention○ Verify app is or has been installed on the device before reviews
● Account validation and revalidation○ Ask for revalidation at random times
● App usage○ Post-review behaviours may differ between fraudulent and real users
Solutions
● Mislead ASO workers through fraud attribution○ Show removed fake reviews only to accounts that created them
● Once a cheater, always a cheater○ Monitor overlapping accounts that review apps by the same developer
Conclusion
● The novelty in this paper lies interviewing people actually involved in the fake review creation process
● Validated insights have been gained into their techniques and processes● From there insights, some solutions have been suggested as to how we can prevent and detect
such behaviour
Thanks for listening!
