LONDON, March 11, 2026 (GLOBE NEWSWIRE) -- Pixalate today introduced the High Risk Apps (HRA) mobile app pre-bid blocklist for the advertising industry that identifies known dangerous and fraudulent apps by combining persistent invalid traffic (IVT) signals, app store compliance indicators, app-ads.txt authorization checks, and privacy risk signals into a unified feed with 9 clear risk reason codes.
The blocklist is a daily-updated list of mobile apps — across iOS and Android — that buyers and sellers use to exclude apps from programmatic ad campaigns before a bid is placed.
Historical ad fraud detection started from scratch on every impression, with each bid evaluated in isolation and disconnected from historical signals. The blocklist aligns with Media Rating Council (MRC) guidance to use lists of "known dangerous or fraudulent sources" in addition to impression-level IVT classifications.
High Risk Mobile Apps Blocklist: 9 Risk Reason Codes
Pixalate surfaces granular risk signals across the programmatic advertising supply chain.
The mobile HRA pre-bid blocklist evaluates each app against 9 risk dimensions. An app can be flagged for multiple risk types simultaneously. Every app on the blocklist is included based on defined thresholds.
| Risk Type | Code | Description |
| High GIVT | highGivt | Apps with General Invalid Traffic rates exceeding 5% over a 3-month rolling window |
| High SIVT | highSivt | Apps with Sophisticated Invalid Traffic rates exceeding 15% over a 3-month rolling window |
| Missing Privacy Policy | missingPrivacyPolicy | Apps missing mandatory privacy policies required by global privacy laws as well as under Google Play and Apple App Store guidelines |
| Abandoned App | abandonedApp | Apps not updated by developers for 3+ years; may be unmaintained, insecure, or non-compliant with current app store requirements |
| Missing app-ads.txt | noAdsTxt | Apps generating ad impressions without a valid app-ads.txt file, indicating unauthorized inventory |
| Developer Anonymity | developerAnonymity | Apps where the developer has missing or unverifiable contact information |
| VPC Bypass Risk | vpcBypass | Likely child-directed apps transmitting IP or location data without Verifiable Parental Consent, risking COPPA non-compliance exposure |
| Delisted App | delistedApp | Apps removed from app stores that continue to generate ad traffic |
| Made for Advertising | mfaApp | Apps designed primarily to generate ad impressions rather than deliver genuine user value, including apps exhibiting ad stacking and other manipulative ad placement tactics |
Each app is tagged with one or more risk reason codes. When an app is flagged for multiple risk types, all applicable codes are visible. This enables buyers to build selective blocking logic — for example, blocking apps flagged for High SIVT while permitting apps flagged solely for Abandonment.
App-Level Risk vs. Impression-Level IVT
The mobile HRA blocklist separates app-level structural risk from impression-level IVT classification. This aligns with the Media Rating Council’s Invalid Traffic Detection and Filtration Interim Update Memo, which distinguishes impression-level IVT measurement from property-level risk reporting.
Impressions from apps on the High Risk Mobile Apps list are not automatically classified as IVT. IVT is now reported only when impression-level invalid signals are detected.
This means IVT reporting reflects impression-level measurement, and app-level risk is reported independently, giving buyers independent control over app-level blocking and impression-level filtering.
Use Cases
For SSPs & Exchanges
- Remove apps where IVT is material, persistent, and inseparable from legitimate traffic.
- Use risk reason codes to apply selective blocking based on risk tolerance and publisher relationships.
- Surface app-level risk independently from impression-level IVT reporting to preserve measurement accuracy.
For DSPs & Agencies
- Pre-bid filtering: Exclude flagged App IDs from campaign targeting.
- Compliance: Block apps flagged for Missing Privacy Policy, VPC Bypass Risk, or Delisted Apps to reduce regulatory exposure.
- Brand safety: Prevent ad spend from reaching MFA apps, abandoned apps, and developers with unverifiable identities.
Data Schema
| Column | Type | Description |
| appId | STRING | The identifier for the mobile app (e.g., "310633997" or "com.whatsapp") |
| bundleId | STRING | The bundle ID associated with the app, if available |
| osName | STRING | Operating system (iOS or Android) |
| riskType | STRING | Comma-separated list of all applicable risk type codes (e.g., highSivt,abandonedApp, missingPrivacyPolicy) |
| appStoreUrl | STRING | URL to the app store listing |
| appStoreName | STRING | Name of the app store (Google Play or Apple App Store) |
Availability
High Risk Mobile Apps blocklist is available as a daily CSV feed delivered through AWS RTB Fabric, APIs, FTP, or S3 bucket through Pixalate's Pre-Bid Blocking Data Feeds.
App-level risk indicators are also surfaced in Pixalate's Analytics dashboard, including a boolean indicator that shows if an app is flagged on HRA and a share of voice of traffic on apps flagged via HRA.
About Pixalate
Pixalate is a global platform specializing in privacy compliance, ad fraud prevention, and digital ad supply chain data intelligence. Founded in 2012 and recognized by UNICEF as a “key innovator” for children’s online privacy, Pixalate is trusted by regulators, data researchers, advertisers, publishers, ad tech platforms, and financial analysts across the Connected TV (CTV), mobile app, and website ecosystems. Pixalate is accredited by the MRC for the detection and filtration of Sophisticated Invalid Traffic (SIVT). pixalate.com
Disclaimer
The content of this press release reflects Pixalate’s opinions with respect to factors that Pixalate believes may be useful to the digital media industry. Any data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that, opinions, which means that they are neither facts nor guarantees. Pixalate is sharing this information and any associated data not to impugn the standing or reputation of any entity, person or app, but, instead, to report findings and trends pertaining to programmatic advertising activity in the time period studied.
Per the MRC, “‘Fraud’ is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”
Contact: press@pixalate.com
