Monday, 5 September 2016

The underground industry to manipulate play store ratings, and any other rating communities.

cannot really post images on Reddit so have to setup a new blog to post this. Feel free to discuss on reddit post or write to us directly:

What's happened to our app?

So we have been developing our Android VPN app. It's not an easy one if you are familiar with Android's VpnService interface.

After a few months hardworking, we released our first version at the end of July. Initially it was great! Without any marketing we had more than 100 downloads in the first few days with all 5 reviewers giving us 5 stars! (Fine I rated the first one myself) We were even day dreaming Google guys noticed it and put us on editor's choice list.

Second week there was a 1 star and a 2 stars, which dilutes our score to 4.5. But that's not too bad. With the reported crash report, we managed to optimise our memory usage and released an enhanced new version.

The following week was rewarding. Our enhanced version was getting more downloads and all 11 ratings of 5 stars! On Aug 20 our overall score climbed up to 4.7!

That sounds like a perfect world isn't it? You work hard, you get reward.

But it isn't.

Starting from Aug 20, we are receiving one star every day with no obvious reason, which cut down our rating to 4.08 in 2 weeks.

This is definitely fatal to a new app:

as expected, our installation has dropped as well:

which absolutely make sense. If you see 2 VPN app in your search result, one 4.5 with 10 million download, the another is only 4.1 with 10k download. You wouldn't even download the second one would you?

Why do we think our rating is manipulated?

Unlike the previous one star, we suspect this time our rating is manipulated from one of our competitors. For the following reasons:

  1. Most of the bad ratings come between Hong Kong 12pm and 2pm. However, Google Analytics says there are almost no installs during that period at all. (unless Google always notify owners during this period? can anyone confirm this?)
  2. Our retention rate is quite stable through out past 2 weeks, which means whoever installs the app are still enjoying it.
  3. App itself is working fine. No crash reported from various channels:
  4. VPN servers are working fine. Our Chrome extension using the same set of servers are still getting (nearly) full marks:
  5. Most of the one star reviews are anonymous. Those with reviews are not really sensible. Like this one, hey we are not even published in China!

Shocking Facts: there is an industry to manipulate play store ratings, and any other rating communities.

While we are investigating ratings, I found something really astonishing to me from Taobao.

For those new to Taobao: this is the Chinese eBay + Amazon under Alibaba group. yes, the one listed in Nasdaq last year. Taobao was started in mainland China around 10 years ago, now getting more and more popular in Hong Kong and other greater China areas as well.

This screenshot is the search auto completion for "Play Store", the first few suggestions are:

  • Buy Android Play store volumes (I take it as downloads and reviews)
  • Buy Android Play store top charts (how?)
  • Buy Android Play store source code (really?)

There are hundreds of service providers for each keywords. Take "Buy Android Play store volumes" as an example, each thumbnail indicates a provider:

click into one of them, new account registration + download + 5 star rating with review is only 1 RMB, which is about US $0.15. From the history they have so far sold 50k units.

looking at the description, they even provides legitimate receipt from Chinese government:

Let's do the math. Say there is a new app out there and getting first 100 ratings all 5 star. For such a star product, you only need to pay $15 ($0.15 x 100), to pull the average from 5 to 3. Low enough that no one even bother trying it out from now on (like ours)

Yes, it will be risky to buy good reviews to your own app. Google can detect unnatural pattern and delist your app. But I cannot think of any risk if you buy ppl to downvote your competitor's product. What can Google do? Delist your competitor's app? :)

To me the most astonishing part is not the existence of the industry, but the way they made it so easy to access at such an affordable price without any risk.

Taobao is only the market I am personally familiar with. Surely any of our competitor will have access to similar service in their own commodity. It's not really

How does it work?

So how does this industry work? It's not straightforward to me at all. If I am running a Taobao shop I can hardly make it breakeven.

First of all, $0.15 is not enough to hire anyone on the planet to register an email -> register play store -> download certain app -> upvote / downvote the App etc. No, not even in mainland China in 2016. The whole process has to be automated.

Additionally this automation cannot be a simple script chaining steps together. It needs to be intelligent, otherwise it's very easy to be caught, especially by Google, who has many years rich experience protecting PR not being manipulated by SEO industry.

In order to make ratings looks more natural, you would need to make your script really smart, something like:
  1. Only x% of ppl downloading the app will rate it. Of course, x would be the industrial average, which will be different for each country / category etc.
  2. A few random apps should be installed and rated before the targeted app, so that it looks like a real user.
  3. Your script will need to fool Play Store that you are from different places of the world using different internet provider. You don't want to have 1,000 5-star ratings from same IP belonging Hong Kong Broadband claims they are actually 1000 irrelevant users. 
  4. etc, etc, you get the picture
Unless, unless you already have a list of accounts representing a natural distribution? 

Hmm, that's a good and scary guess. A simple google confirmed this is (sadly) actually doable. Now that everything makes sense now, at least to me.

First there is a group of ppl writing trojan / malwere. I call them broiler farmers. They write, spread malware around to infect Android phones (broilers). Before writing this I thought sandbox based architecture is very hard to infect, because OS strictly limit what an app can do. Security issue should only be a concern for rooted phones. I was so wrong:

Broiler farmers are eager to sell their broilers but it's hard for to market. It's not fun at all to risk yourself with 20 years jail unless the selling channel is secured. So they would only deal with stable broiler brokers who can continuously bring them buyers without having buyers aware they are actually buying broilers. 

Rating manipulation industry is a perfect broiler broker. They are eager to find neutral distribution of broilers to cast their voting for their clients. At the same time their clients don't really care how this is done.

This union can be really powerful. A big broiler farm can easily provide interface like this:
  1. Give me 20 users who has used Play Store for at least 2 months, 10 from US, 2 from Canada, 3 from UK etc.
  2. In next 20 days, having one day each to download a certain app, and open app for once or twice in next 24 hours. 
  3. 5 of them uninstalled the app in 24 hours, and another 5 uninstalls in the coming 7 days. 
  4. For the remaining 10 ppl, give a 5 star at any time in the next month.
How does that sound? Would you be able to detect the pattern if you were Google? This is just one example. In fact, broiler farmers is so powerful to collect any data without worrying about any privacy policy. They can in theory produce a perfect natural traffic which is impossible to be captured by any pattern recognition algorithms. 

Disclaimer: I have no proof at all on how the industry work. But I strongly feel this can be one of the possibilities. 

What else (good) can we do?

Obviously we won't give up. How can we leave our innocent users to those assholes? :) But sadly there isn't much we can do apart from checking crash report and server logs.

We tried to contact Google. As expected, the response was some standard but already known guidelines. Anything else? Any suggestions will be much appreciated!

PS: if you want to help test, then here is the link. Please please please do tell us if you think there are something indeed wrong with the app. We really hope that's something we can actually improve by ourself.

I guess I am still young. We would like to build great products instead of dealing with this xxxx.

Thanks for your time!