Smartphone Software Application Logs Reveal Fictitious User Activity
ESI Analyst Uncovers Automated User Profile Creation within App
Case Type: Data Analysis
Data Types: COMPUTER LOGS, GEOLOCATION
If you want something done, the saying “There’s an app for that” isn’t far behind. One of ESI Analyst’s Channel Partners was approached with a unique problem. One of their clients had an issue where users of a commercial smartphone app were suspected of inundating it with fictitious profiles using some sort of automated smartphone emulation or “bot” technology. The database for the application was not readily available. However, there were a significant number of application logs that had recorded each end-user’s interaction with the application.
The task presented to the Channel Partner was to analyze a subset of the logs to discern if any of the information contained within could be leveraged to identify the fictitious profiles. Initial analysis was performed to isolate the various types of log entries contained within each log. Each entry was then mapped to a “type” and various data points were extracted including the User ID values, date and time stamps of each entry, and various other identifiers that correlated to specific device activity. Included with some entries were longitude and latitude values, representing the location of an end-user when certain types of application requests were performed.
Over 125,000 locations were processed, and of the coordinates mapped, close to 45,000 of them came from one distinct location. This location was found to be suspect given that its accuracy was to the 7th decimal.
ESI Analyst’s Partner Services team in conjunction with the Channel Partner’s experts were able to formulate a plan to extract and normalize the relevant fields identified from the application logs. Given ESI Analyst’s ability to examine each individual log entry as a single record, instead of treating the log as a “document”, meant once the process of data normalization was complete, the requested analysis could be accommodated.
Longitude and Latitude values were included where available and ingested into the system, allowing for a coordinate lookup that enables ESI Analyst's map clustering technology. Initial analysis was performed against a smaller subset of records spanning a one-week time period. Post ingestion of data, an interesting pattern of activity was quickly revealed. Over 125,000 locations were processed, and of the coordinates mapped, close to 45,000 of them came from one distinct location. This location was found to be suspect given that its accuracy was to the 7th decimal, indicating precision of 1.1 centimeters. However, it was the clustering of activity at this one location that become revealing.
Leveraging this location in conjunction with each log entry’s corresponding User ID value, it was determined that over 25,000 of the smartphone application’s users had been at the precise same location all in a matter of one week -- some of them within seconds of each other. This location? The middle of busy street in the heart of a large city! After matching these values to their respective User ID entries, it was determined with high probability that each of the associated profiles was likely fictitious and had been generated by automated means.
Using this sample application log analysis, the Channel Partner’s client was able to evaluate further course of actions for the investigation, as well as begin to quantify the overall damages incurred.