App promotion cheating insider series: machine brushing!

In the Android environment, machine brushing is the most commonly used method of APP promotion traffic cheating, without a doubt. Together with meat brush, they are the two most important means of machine brushing. The difference from the meat brush is: there is no horrifying scene - there are thousands of machines of various models deployed in the room, operated by several slightly fat girls. There is almost no sense of picture, but rather a deep water and quiet current. Its harm is indeed the greatest, and the types of APPs involved are also the most. Not only does it account for the largest proportion of cheating traffic, but it is also relatively difficult to prevent, second only to silent installation. Machine-brushing prevention technology is the most important part of App anti-cheating technology.

Cheating can generally be divided into three categories:

1) Decompile the APP:

As the name suggests, it is to decompile the APP code (for example, Android APP). If it can be decompiled directly, the APP business logic (for example, new user registration) can be sorted out from the code level, and this part of the logic can be directly simulated in the attack software. Compared with cracking the communication protocol and installing a virtual machine for automated simulation, this attack method is the best option for all attackers.

Unfortunately, this is not the focus of this article. Regarding the decompilation of APP, a separate text description will be given.

2) Crack the APP communication protocol:

The so-called cracking of APP communication protocol means that attackers generally choose to capture the network communication protocol, crack the communication protocol, and then simulate the interface communication. Many companies that claim to be able to brush Umeng or other statistical SDKs are actually taking this path.

Again, this part is not the focus of this article.

3) Install virtual machine automation simulation:

Install a virtual machine and simulate user behavior through virtual machine technology, which we call flashing technology. Although this technique is relatively stupid compared to the previous two, stupid methods are often good methods because they are feasible.

A Brief Analysis of Virtual Machine Cheating Methods

One principle that everyone, including hackers and cheating teams, follows when doing things is to consider the cost. Similarly, machine flashing is a very complex system engineering project. No team starts from scratch, but all of them complete it based on the work of others. First of all, there are only two systems for the underlying virtual machines, one is bluestacks and the other is Virtual Box. Almost all virtual machines on the market, regardless of their names, are developed based on these two.

Through these two virtual machine systems, a group of controllable robots are built to continuously simulate human behavior, including logging in, registering, making various requests, accessing, browsing, etc., which are the behaviors of machines in the digital world.

(The cheating methods cover a very wide range. I will explain the specific content of the cheating methods later when I have the energy. Your praise is the best encouragement for me!)

From a business perspective, you can add verification codes to reduce losses from cheating, but the experience will be worse, and what’s even more frightening is that you can’t ask everyone to fill in the verification code? A threshold for use can only be provided to suspicious elements.

Machine brush cost composition:

1) Hardware cost: Almost no hardware investment is required;

2) Software cost: For teams without R&D capabilities, software cost is a huge part, and they need to purchase virtual machine customized software on the black market.

3) Development cost: For most machine brushing teams, the biggest advantage of machine brushing is the research ability of virtual machines on the Android system. Their competitive advantage also lies in the understanding of virtual machines and the control of network resources;

4) Other costs: proxy IP library, mobile phone number registration costs, etc. These are all purchased from suppliers.

use

Dosage and purpose:

Machine simulation can be added to natural traffic to supplement the volume, or it can be added to incentive traffic to supplement the volume.

The amount of iOS admixture is sometimes used to subsidize ASO admixture, but due to Apple’s improved anti-cheating capabilities, the prevalence of this amount of admixture has been temporarily curbed.

Simulation

The degree of simulation depends entirely on the actual combat level of each company. Below we list the levels that can be achieved in theory:

1. Activation Simulation: Activation can be completed

2. Simulation degree of key parameters:

a) Retention rate : can be faked

b) Online time: can be faked

3. Hardware parameters:

a) Imei: can be imitated

b) MAC address: can be forged

c) Imsi: can be imitated

d) Other hardware parameters: Most can be imitated

4. User behavior pattern simulation: Theoretically, it can be simulated, but the cost is high.

5. Group characteristics: In theory, they can be imitated. But the cost is very high.

Identification and prevention methods

In the evolution of cheating and anti-cheating, machine-generated volume is becoming increasingly difficult to identify. The priority order of the key indicators currently used is as follows:

1) IP characteristics and location information;

2) Group behavior;

3) The simulator environment is abnormal;

4) Abnormal user behavior;

Some of the problems that were once commonly used have gradually been avoided by the brushing team, such as:

1) Abnormal retention rate, startup frequency, and online time;

2) The device information is abnormal.