In-brief: Here, I share longitudinal data showing that blackhat ASO campaigns designed to improve the ranking of apps that collect cheating and marital infidelity stories have worked.
A year ago my Threat Research exposed a “Blackhat App Store Optimization (ASO)” attack campaign. The goal of the campaign was to manipulate app store rankings and grow visibility for an app that allows users to share their cheating and infidelity stories.
The attack method I used fake downloads and ratings to increase visibility and rankings on the app store. By doing so, the apps created various trust ratings to the promoted app. The expected result? The reviews, ratings, and downloads would eventually lead to growth in the app’s ranking, driving traffic, and increasing awareness in the app store search engines.
The success of ASO ranking manipulation is a product of time and fake downloads/ratings. In order to determine whether such “black hat ASO” manipulation was successful, I measured the promoted app ranking in the past year to see whether the Blackhat SEO “worked.” In this post, I am presenting my results:
How to Measure Success?
The ultimate goal of any ASO campaign is to get as much visibility as a possibility for the promoted app. In order to evaluate such visibility, I used the following measurements:
I referenced the presence of the promoted app in the top app store search results pages and searching for related keywords and terms.
I tracked an app ranking over time with an ASO tool which measures how an app is performing relative to all other apps in the app store.
App Stores can be considered the “front page” of the mobile search. Apps that appear on that “front page” have a huge amount of visibility and can yield significant revenue. For example, simply imagine the impact on the revenue of an e-commerce app selling shoes that appear in the primary search results when users search for the term “buy shoes.”
In the case of the “cheating” app, when I searched for several related keywords and terms in leading app store search engines, I was able to see that in many cases the “cheating” app appeared in the top search results, meaning the blackhat ASO goal was achieved. Moreover, according to an ASO tool, more than 33% of visits to the “cheating” app came from the app store search engines.
Another good way to measure an app ranking is by using app or ASO analytics tools that measure how an app is doing relative to all other apps on the app store the past three months. In most cases, such ranking is calculated by combining the estimated average of daily downloads and reviews.
I monitored the ranking of the “cheating” app using ASODesk during the past year. It’s ranking increased dramatically over the year, from being ~1 thousand in the world in January 2015 to being ~1 hundred in the world in December 2016.
More important, judging from what I can observe, the ranking of these apps is still improving.
Summary
While it is certainly possible that part of the growth of the “cheating” app ranking in the past year is the result of legitimate app promotion, the existence of many maliciously promoted apps across the app store leaves little doubt. The outstanding growth in the app store ranking is the result of ”Blackhat ASO” activity.
Most of the reskinned apps are small/medium apps that lack originality, design, robust security controls, and maintenance. However, a blackhat ASO campaign can still succeed due to the fact that it is related to the promoted apps’ line of business. Promoting legitimate businesses using “blackhat ASO” may result in business competitors pulling the plug of their rivals’ “blackhat ASO” campaigns. But, when promoting controversial apps, the chances are low that competitors will speak out.
Getting into the leading apps store search engines’ top results page is a significant milestone for any ASO campaign. That achievement typically increases traffic from legitimate users, increases app ranking and may result in financial benefits such as increased revenue or valuation. And while you know who specifically is behind this “black hat ASO” campaign (me), we still do not know if it will the same outcome for next year, which in and of itself is quite interesting. Unfortunately, “blackhat ASO” is working!