The Ad Fraud Problem

Nobody likes to talk about ad fraud. Companies don’t like to admit that they don’t exactly know how to provide a solution for one of the biggest problems the mobile industry is facing, a problem that’s costing marketers up to $19B.  According to the World Federation of Advertisers by 2025, global ad fraud costs could potentially reach $50 billion annually, and with the way things are looking that hardly comes as a surprise.

Mobile app fraud takes many forms which doesn’t exactly make things easier. Here are several app fraud types that are costing companies major $$$.

Types Of Mobile App Fraud

Install Fraud

To simplify, install fraud is made up of fake clicks and fake users. To complicate there are actually various techniques fraudsters use.

Mobile fraud bots – A bot is a code that mimics user behavior. Mobile fraud bots are quickly becoming the most common type of mobile fraud.  Open source SDK is more exposed to this type of fraud because it is easier to infiltrate.

Install farms – App install farms are real physical locations that hire workers to install and engage with apps. By generating fake clicks, installs, and even post-install events, and engaging with the app for a limited time, app install farms destroy retention and engagement-based mobile campaigns.

Incentive installs– Incentivized installs are installs that were generated as a result of a promotion or an offer. For example, offering shoppers a $5 coupon if they download another shopping app. Incentivized traffic can drive many installs but may often result in low retention and quality. Incentivized traffic by itself is not considered fraud. However, trying to conceal incentivized traffic is.

SDK Spoofing – SDK Spoofing comes from the mobile fraud bot family.  Fraudsters add a piece of code to an app which sends a simulated ad click, install, and engagement signals to the attribution provider on behalf of another app. Often, these bots can fool an advertiser into paying for thousands of installs that never happened.

Attribution Fraud

Unlike install fraud that generates fake clicks and installs from fake users, attribution fraud generates fake clicks and installs from genuine users that might have seen the ad but didn’t click.

Click Spamming– Click spamming is a type of fraud that occurs when fraudsters execute clicks for users who haven’t made them.  Basically, users are not aware that they’ve been registered as interacting with an advertisement. That’s because in reality,  they never even saw an ad. As a result, users may install an app organically but a fraudster will claim they have seen an advertisement, meaning the conversions will be attributed to a source that had nothing to do with the install.

Click Injection– Click injection is a form of click-spamming. Fraudsters know how to recognize when users download other apps on their device. They use that knowledge to trigger clicks before the install is finished.  As a result, the fraudster will receive the credit for that install.

Ad StackingAd stacking happens when mobile apps or websites stack multiple ads beneath one another when in fact, only one impression is served and various advertisers are billed.

Looking Mobile App Fraud In The Eye

We would be full of **** if we told you we have all the answers to the mobile app fraud problem. We don’t, but we’ve made it our mission to roll up our sleeves and get dirty because the only way to fight fraud is to look it in the eye, catch it, and kick its butt.

Here are 5 ways we’re doing just that.


  1. We Prevent It In The First Place

One of the main ways we’re fighting fraud is by preventing it in the first place. This sounds obvious but trust us when we tell you that we don’t throw the word prevention in the air without backing it up. Every single time a publisher signs up to the Appnext platform we make sure to check the following:

Account Settings – Once a publisher registers we thoroughly review his accounts settings.  To understand if the publisher is suspicious we look at various factors.

We check if the registered IP is unique, the number of registered accounts for that IP, and how many accounts were blocked from that specific IP by our system. We also check that the payment method such as Paypal or bank account is authentic.

When reviewing the account settings we look to see if the app actually belongs to the publisher and that the traffic actually arrives from the app uploaded to the platform.

Blacklist – We don’t allow publishers who were previously blocked to activate their accounts or open a new account with different settings. How do we recognize this activity? By checking every parameter that can be linked to an account that was blocked (Paypal account, IP, app package).

Content- We review every single publisher app or website to make sure they are not promoting inappropriate content such as adult, incentivized content, or any other non-transparent sources.

Evaluating the accounts settings gives us valuable insights into publishers intentions and activities and helps us block fraudsters before they get started. Prevention is the first step we take to fight fraud to ensure that our partners can cooperate with reliable publishers that deliver valuable results.

  1.  We Evaluate Users & Their Traffic

When checking and monitoring our publishers, our fearless fraud fighters are faced with recurring fraudulent activities.

Here’s how we recognize them:

Incentivized Traffic

When we suspect a publisher is promoting an app with an incent, meaning a user is offered something in return for installing the app (extra life in a game, game currency etc.), we make sure to let these sources know it’s GAME OVER.

How do we do it?

  • If the conversion rate from click to install is too high
    We check how the campaign works with all of our publishers. If we see abnormal activity like numbers that are just too good to be true… we know it’s fraud.
  • Retention / post-install activity
    We look out for users who download the app, open it once, and disappear without saying goodbye.
Click Spamming

Some publishers try their luck and bombard campaigns with “clicks” in hopes that some users might download the app organically, that way they’ll get the attribution for that user without showing any ad.

Here’s how we catch these spammers:
  1. Our system stops publisher activity if it generates an extremely low conversion rate from click to install.
  2. If the CTIT (click to install time) is evenly distributed along the attribution window it is an indication of click spamming. The expectation is to see the majority of installs “closed” in the first hour from the click, with remnants coming after.

Below is an example of click spamming distribution:

mobile app fraudClick Injection

The notorious fraud also known as click hijacking: This happens when a publisher “injects” a click right after the real click was made, and before the app was opened for the first time getting the install attributed to him.

To identify this fraud we look at the CTIT. If the CTIT is too low (Varies from app to app, Geo to Geo etc.) It is an indication of click-injection.  Click injection installs are usually installs with a CTIT of under 10 seconds.

Below is an example of click-injection distribution:

click injectionBot Traffic

When we suspect a publisher is creating false installs by using emulators/ bots, we examine several parameters to determine if it is indeed fraudulent or not:

    1. User Agent ratio: The UA is a combination of data points (OS, browser type, browser version, etc.) that create a certain profile.  If we identify a publisher with many installs coming from the same/similar UA we can conclude that an emulator is being used.
    2. IP ratio: If we see publishers that are delivering installs in bulk from a specific IP we mark them suspicious and further investigate.
    3. IP blacklists: Top fraud prevention companies such as MaxMind & Forensiq provide us with data on problematic IP’s and proxies that we block from our system.
    4. Abnormal device settings: When bots randomly generate device information that doesn’t add up, for example, wrong device ID format, non-existent OS versions or operators etc. We monitor this information, block it out, and kick the perpetrators out.
    5. Low user retention / post-install events: We check publishers performance results compared to average results in specific campaigns. If results are relatively low, it indicates that the users are most likely fake. We also look for certain patterns. For example, if all of the users drop at the exact step in the events funnel we know something’s not right.
    6. Installs from the same device ID from multiple GEO’s: Our system identifies when the same device ID “installs” different apps from several GEO’s, something obviously impossible.. Unless you’re a bot. We don’t like bots.
    7. Abnormal traffic hours: If we see a massive amount of clicks in abnormal hours, for example in the middle of the night, it is likely that a VPN or a bot were involved.
App Install Farms

Many of the app install farm activities are similar to those of bots. They are similar because both app install farms and bots create fake user activity.

  • If we see that the click IPs come from different countries while the install IPs are from the same location we know that we are dealing with an app install farm.
  • If the device language is not the main target GEO we know it’s fake.
  1.  We Have Automated Reporting

An automated report showing irregular traffic for publishers and sub-accounts is sent to our success managers. Basically, if there is monkey business on our platform rest assured that we know about and are taking care of business.

app fraud

  1. We Partner With Leading Attribution Companies.

This is the part where we name drop. We only work with the leading attribution partners that care about fraud just as much as we do.

Some of our partners include:

  • Adjust
  • Appsflyer
  • TUNE
  • Apsalar
  • CAKE
  • HasOffers
  • Kochava
  • MAT
  • Tenjin
  • Voluum

We also work closely with Forensiq, an award-winning fraud detection platform that uses machine-learning and advanced bot fingerprinting to identify and block ad fraud.

  1. We Block Until They Drop

We make sure to address each and every advertiser complaint and block publisher accounts according to their feedback. In addition, we recently released a new feature that enables advertisers to take matters into their own hands and put a stop to underperforming sub-accounts. Advertisers can block specific sub-accounts instead of blocking the entire network. This enables them to reach more network publishers when running their campaign without compromising conversion rates.

There’s no beating around the bush… mobile app fraud is a plague. When left untreated it creates a lose-lose situation. We don’t have all the answers. We haven’t found a magical cure for all the SDK spoofing,  click injections, bots, or ad stacking that’s taking over the industry, and we can’t fly around the world and shut down all the app install farms. We can, however, recognize the symptoms and rise to the challenge to kick fraud’s butt!

A huge thank you to Moran Kriheli,  our BI analyst & Fraud specialist, and  Tomer Weisman our Attribution & Fraud Analyst for helping with this piece and for continuing the fearless fight against fraud!

For questions feel free to reach out to our support team.

Related content: Scariest fraud stories 


Marketing Manager

Write A Comment