3 Common Types of Mobile Ad Fraud and How To Spot Them

By Andreas Naumann | February 18, 2019

Andreas is an industry veteran, having worked in digital advertising for well over a decade. He is also a well-known figure in the app industry — and one of the leading innovators in the fight against mobile ad fraud.

Learn more from his Mobile Hero profile.

As of today, over 5 billion people own a mobile phone – of that, it’s estimated that between 3.5 – 4 billion of them are smartphones.

Each of these devices can run a multitude of apps, cope with a demanding range of tasks and receive an array of mobile advertising, but they’re also prey to several forms of malicious ad fraud schemes. These affect both user experience and cost the mobile industry nearly $5 billion dollars globally as of 2018.

If you’re a mobile marketer and you don’t think you’re affected – you’re likely to be sadly mistaken. At Adjust, we find that fraud has affected as much as 90% of an individual campaign, with an average rejection rate of 14% per campaign.

So, what can marketers do about it? As Head of Fraud at Adjust, I work with companies to show them how fraud works – and explain how fraud has affected their campaigns. All too often, the traces of fraud are obvious (at least to me) but marketers are sometimes unaware of how to identify the telltale signs of fraud that’s at work right under their noses.

Below are the three common types of ad fraud that we fight, and how to identify the signs indicating your campaigns might be affected, including Click Spam, Click Injection and Fake Installs. We also have something new to reveal – a new method called Click Validation developed by Adjust, which will significantly reduce the impact of these three forms of ad fraud, helping preserve your budgets.

Click Spam

Click Spamming poaches organic traffic by manipulating the attribution, doing so by executing clicks on behalf of users who don’t know what’s going on.

In terms of performance marketing, fraudsters benefit from Click Spam on the random chance that they receive a payout for installs that occur if a user clicks on one of these ads.

Click Spam comes in many different forms, including ‘stacked ads’, background clicking on websites, in-app background clicks or server-to-server click catalogs. What makes these methods similar is that the ad engagements are faked, though everything else is real.

How It Happens

Click Spam starts as soon as an unwitting user lands on a mobile web page or in an app which a fraudster operates. From there, one of several kinds of fraud could take place:

  • On mobile web pages, fraudsters can execute clicks in the background without visible ads, or ads which could be interacted with. This is especially common if that user is watching a video.
  • In mobile apps, the spammer begins clicking in the background while the malicious app is running, making it look as though the user has interacted with an ad.
  • The fraudster’s app can also generate clicks at any time if the app is running in the background 24/7 (e.g. launchers, battery savers etc.)
  • The fraudster can also send impressions as clicks to make it look as if a view has converted into an engagement, hiding their activity.
  • The spammer could also blatantly send clicks from retargeting lists they took from other advertisers.

What unites these approaches is that a user is not aware that they’ve registered as interacting with an mobile ad. As a result, the user can potentially install an app organically (and likely, by chance). But, because a fraudster will claim they’ve seen an advert, the conversions will be attributed to a source that had nothing to do with the install.

How to Spot Click Spamming

If your ads are subject to very low conversion rates – as in, you’re seeing lots of clicks and impressions on your campaigns, but very little in the way of installs – you’re likely experiencing a form of Click Spamming affecting your advertising.

Also, an even distribution of click-to-first-open times over attributions from a specific channel is usually a good sign that users are not being engaged by advertisement but are, in fact, installing organically.

Click Injection

Click Injections are a sophisticated form of click spam that’s perpetrated on Android devices. With this type of fraud, a fraudster triggers a user’s device at just the right time, with the right information to create a legitimate-looking “ad click” that steals the CPI payout.

How Click Injection Happens

There are two forms of Click Injection. The first we’ll talk about exploits what’s known as the ‘Package_added Broadcast’:

  • After a user has downloaded an app, a fraudster injects a click before the user opens the app. This might be seconds or minutes after the install occurs, but the goal here is to steal attribution between when the install happens and when the user opens the app for the first time.

Another way to inject clicks is based on what’s known as the ‘Content Provider Exploit’:

    • After a user has downloaded an app, a fraudster injects a click before the user opens the app. This might be seconds or minutes after the install occurs, but the goal here is to steal attribution between the install happens and the user opens the app for the first time.
    • Whenever the Content Provider registers a download beginning, the fraudster’s app is notified.
    • They use this chance to inject the fake click between when the user clicked on the install button (Google Play Store) and when the app was downloaded (but not yet opened).

How to Spot Click Injection

There are a few telltale ways to find out if you’re affected. If you run many cost-per-install (CPI) campaigns on multiple different ad networks, you’re more likely to be a target – so look out for these signs:

The first, inconsistent click-through rates, come about because all types of attribution manipulation don’t consistently send impression data. This means while you have a certain volume of clicks, there aren’t impressions to match.

If you also see above average post-install metrics from certain networks, you could be looking at Click Injection. This is mainly thanks to organics being claimed as paid – and as organics tend to be more engaged, metrics get pushed up.

Finally, for the Package_added Broadcast Exploit, it is possible to find an uncharacteristically high amount of installs showing an unusually low CTIT (click-to-install-time, or, more correctly, click-to-first-open-time). This manifests itself when a user that was poached for attribution opens the app very shortly after the app icon becomes available on the homescreen of their device.

However, be sure not to jump to conclusions on this one. This will not manifest for users that take several seconds to react to the new app being available on their device, and this will not give any visibility to the installs poached by the Content Provider Exploit. Check the click times for attribution against the install_begin and install_finish timestamps provided by your MMP to see if there’s an issue.

Fake Installs (and Emulated Behavior)

A Fake Install defines what a fraudster does when they trick an attribution partner into tracking an install that hasn’t taken place on a real device, attributing it to a paid source.

To accomplish it, fraudsters use emulation software to fake installs in an effort to claim advertising revenue. This results in completely fabricated users that only exist to trigger installs based on fraudulent advertisements.

How to Perpetrate Fake Installs

Fraudsters rely on server virtualization or emulation software to simulate many devices at the same time. Then, they use scripting (or macros) to:

  • Open a VPN (or other anonymized) connection to the internet with a fresh IP-Address
  • Create a brand new device
  • Make this device ‘click’ mobile ads
  • Then, on the app store or a pre-downloaded APK file, install it
  • Open the app
  • Fake in-app engagement
  • Close or delete the emulated device
  • Repeat

How to Spot Fake Installs

A high amount of installs with instant drop-off in the user conversions funnel, usually right after the in-app engagement the advertiser is opting their campaign for.

Click Validation: Our Newest Standard in the Fight Against Fraud

Our latest release, Click Validation, works on a very simple premise: for every click we receive, we must also get a matching impression that validates the click.

These days, a leading cause of ad fraud is thanks to clicks passing to attribution providers without any context or proof of actual user engagement. In other words, attribution providers have to take the word of the ad network for what passes as a click.

This lack of proof enables Click Spamming, Click Injection and Spoofed Users to run wild.

So, to stop these prevalent forms of ad fraud, we’ve implemented our simple logic into a solution that will finally prevent them.

With Click Validation, Adjust requires all clicks to be sent with matching impression data. Then, once received, every click and impression is given a shared but unique identification that allows Adjust to connect the two. The shared identifier lets Adjust connect each click to its respective impression, thereby verifying the click.

We’ve developed this method in close collaboration with our partners, including Liftoff, heavily involving the supply-side of ad tech to make sure what we’re creating works for everyone.

This is a completely new approach to fraud prevention in our industry, and is just one of our many initiatives that take the fight to the fraudster. For more, take a look at our white paper on the release for more information.