Mobile-to-CTV Spoofing: August 2022 Pixalate study finds 30% of spoofed Roku ‘traffic’ appears to originate from mobile devices, with Apple’s iOS serving as fraudsters’ favorite platform

Global Connected TV (CTV) programmatic ad spend continues to soar, rising 32% year-over-year according to Pixalate’s latest estimates, but this rapid growth also makes CTV a ripe target for fraudsters.

For example, our monthly CTV App Spoofing reports shows how various apps regularly become the targets of App Spoofing. One of the invalid traffic (IVT, or ad fraud) trends that Pixalate has been tracking is mobile traffic presenting itself as Roku (CTV) traffic.

Pixalate conducted a study from June-August 2022 and found that 30% of spoofed Roku traffic appears to actually originate from mobile devices. Of note, Pixalate data indicates that these ad fraud spoofing attempts seem to originate from iOS devices far more often than Android devices:

• 3% of all traffic purporting to be from Roku devices is spoofed, according to Pixalate’s data
• Of that apparently-spoofed Roku traffic, 30% originates from mobile devices
• Over 90% of apparent mobile-to-Roku spoofed traffic comes from iOS devices
• iOS to Roku spoofing almost doubled month over month from July to August from 22% to 40%

Mobile-to-CTV Spoofing, Month over Month:

Top 5 Roku Apps most spoofed by mobile devices

What does mobile-to-CTV app spoofing look like?

In January 2020, we uncovered a major exploit (named “DiCaprio”) where real mobile devices were apparently weaponized by fraudsters to generate fraudulent traffic appearing to be coming from CTV devices. Essentially, the fraudsters modified the bid stream to make the bid requests appear to be coming from CTV devices.

This type of attack has continued to grow and is difficult for buyers to detect and block for a number of reasons, including a lack of awareness of technical solutions, failing to vet sellers, or simply because there are multiple hops involved in the Supply Chain (leaving them unable to reach the device directly). Our clients are able to use our tools to measure and take necessary actions.

For example, here is a sample User Agent a client saw on the bid stream vs. what Pixalate detected for the same impression:

• What the client saw: Roku/DVP-9.40 (939.40E04206A)
• What Pixalate saw: Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148

CTV ad inventory - especially on Roku - remains some of the most valuable inventory in demand. Using iOS devices to spoof this highly-valuable traffic is a tactic fraudsters  continue to use increasingly - with these attempts doubling month-over-month from July to August 2022.

We encourage the ad industry to watch out for this form of spoofing. Wondering what concrete steps you and your organizations can take? Consider participating in initiatives led by trusted players in the CTV space. In particular, keep an eye out for Roku and IAB Tech Lab initiatives, which we believe will help stem the growth of these pervasive forms of spoofing.