Fraud means various imitations aiming to meet advertisers’ KPIs. These include bots, click farms and other technologies which strive to eat up your advertising budget without bringing in real users. In addition to hardcore fraudsters, such tricks are also used by advertising platforms, aggregators and marketing agencies in order to achieve the required targets in traffic volumes and quality.
Fraud has been present for as long as the mobile advertising market has been in existence. This has emerged as a major problem in recent years, when the industry saw swelling spends while bots and other scam techs got much smarter. Today, major advertisers are forced to continuously audit their traffic and make their requirements more and more stringent.
For instance, Uber filed a lawsuit against five advertising agencies that deliberately provided low-quality traffic. In just two years, losses amounted to USD 70 m. The company traced the fraudulent traffic back to its sources and turned off two-thirds of their annual advertising budget – around USD 100 m of savings. The number of real users coming to the app via ads remained constant.
According to CHEQ and the University of Baltimore, losses from ad fraud totaled USD 23 bn and a whopping USD 35 bn in 2019 and 2020, respectively. Online ad fraud turned out to be a more lucrative business than credit card fraud, even though the annual spend in the credit card segment is USD 3.32 tn and in online ads only USD 333 bn.
Fake ads plague everybody in the industry: marketing agencies, advertisers, and advertising networks. Fraud of all kinds affects anyone who deals with in-app advertising. If you think you have never met fraud, more than likely you are unaware of it yet.
There are five types of mobile fraud:
What is click flooding?
A type of mobile fraud where the source continues to send clicks on the expectation that one of these clicks turns out to be the last one, which is counted by the system as a mobile app install initiator. This results in a wrong install attribution as the source appropriates installs from other platforms. If an app has steady organic traffic, such fraud proves to be immensely efficient.
Why is click flooding dangerous?
Fraudsters capture the most valuable users from organic traffic rather than those driven by ads. These tend to be higher-quality clients with a good LTV. However, click spammers take credit for bringing in such valuable users. Being rewarded for what they do not deserve, they also supply misleading marketing data.
How to track click flooding?
Some signals pointing to this type of fraud are:
To identify a crooked partner and prevent click flooding, one needs to use a mobile tracker and segment app installs by CTIT (click to install time), conversion, and attribution. In this case, CTIT turns out to be surprisingly long (more than 60 minutes as a rule) and the conversion rate is very low, as the source generates a lot of clicks. One can also analyze user actions pre and post install. If you detect several identical clicks being made quite frequently, you are probably looking at a click spamming fraud where one of these clicks hits the target.
What is install hijacking?
A type of mobile fraud using scumware on a user device. This fraud involves intercepting a user’s last click when an app is being downloaded.
Click injection is an advanced version of click flooding. Fraudsters use scumware implanted in the system and see the device starting to download a new app. Right after the start, they imitate an ad click and take credit for an organic install in order to get paid for it.
The principal difference between click injection and click spamming is that the former continuously generates user clicks and the latter hits the target and directly generates a click only when download starts. In the case of click spamming, CTIT will be abnormally long, while click injection will make it unusually short.
Why is install hijacking dangerous?
Such scams not only bleed advertisers but also directly affect the conversion rate. They mislead you about the actual performance of various advertising channels. Marketeers and campaigns they are in charge of end up going round in circles. They invest more and more in fraud-tampered ads that bring in almost no extra installs in the end.
How to track install hijacking?
This fraud can be detected using the same metrics as in click spamming. If your fraud detection tool returns unusually high quality metrics while the CR is very low, this might mean that you should take a closer look at such an advertising channel. Click to install time (CTIT) is also important. Injection scumware needs to respond rather quickly to take credit for a user. That is why the fraud detection tool will display installs with extremely short CTIT values, which is not typical of human behavior.
What are bots and click farms?
Well-known bots and click farms can perfectly imitate installs, clicks, and other (even in-app) user activities, but they bring in no real revenue. Today’s bots are even capable of making purchases for a small amount (smaller than the reward for an install) or reaching level 5 in a game (if you use this as the attribution threshold).
Why are bots and click farms dangerous?
Advertisers might think they are buying real customers. They can even see some in-app activity! However, they are merely burning cash.
How to track bots and click farms?
This fraud can also be detected using a fraud detection tool. Though successfully imitating certain user actions, bots and click farms are unable to simulate human behavior as a whole. In a matter of a few weeks, it becomes evident that the traffic quality fails to meet expectations. These would-be users have a lower retention rate and an excessively high CR but lack real purchases. In addition, their actions and retention activities often show repeating patterns that help detect them.
Analyzing user geodata also helps prevent click farm fraud. If most of the locations differ from the target country/are outside the target country, you need to take a closer look at your partner. It’s the same when analyzing installs by device name and type, click farms and bots typically report the lowest-end devices or brands which never existed.
What is restricted traffic?
Advertisers often put restrictions on traffic types to be used. Examples include branded content or incent traffic. But platforms can pursue promotions in breach of the advertising order, hoping that the advertiser will never find out.
Why is restricted traffic dangerous?
Brand risks (traffic comes from illegal or semi-legal channels), wasteful spending of the advertising budget.
Some crooked partners may employ misleads (misleading advertising) or adult advertising (using 18+ content). Though of little help in bringing in a high-quality audience, these two tricks might result in bad feedback and negative brand perception as a whole.
How to track restricted traffic?
This fraud can not be easily detected: since advertising platforms may run restricted campaigns under the radar, it may not be possible to detect those right away unless you come across a misleading creative or a context ad of your product on your own. Furthermore, you may find recent user complaints on the AppStore regarding misleading information.
A code (eavesdropper) is planted in the app or the server to simulate installs and other activities.
What is SDK spoofing?
SDK spoofing is a type of fraud using bots embedded in the server or the app code to simulate installs, clicks and other signals, thus generating fake traffic or creating a semblance of activity inside the app. This type of fraud also includes emulation of SDK functions straight from the server side.
Why is SDK spoofing dangerous?
Once embedded in the app code, the malware can emulate tens of thousands of fake installs to claim reward for them, with the advertising budget quickly spent on non-existent users.
What makes this type of fraud particularly harmful is that the malicious code can find its way from the server not only into one app but into thousands and hundreds of thousands of devices simultaneously. The number of generated actions will depend solely on the fraudster’s will and boldness.
How to track SDK spoofing?
There is currently no way to fully protect yourself from this type of fraud, but it is worth the effort to check out the latest news and updates on the detection of similar networks
This type of fraud is most frequently encountered in apps with poor security infrastructure. Encrypted SDK with a closed source provides protection from decompilation and code manipulations.
MyTracker is an easy-to-use fraud detection tool that helps save a lot on advertising. All you need is to gather data using the tracker with a particular focus on the following key metrics:
Low-quality fraud that can be identified through hardware metrics currently accounts for 46% of all fake traffic, with the share of smart fraud growing from year to year. Smart fraud can only be detected through behavioral metrics, which help tell app bots from real users. Click metrics can also be helpful, as they identify fake attributions, click injections, and low-quality traffic from ad partners.
Read more about ad fraud trends in our recent study.
There is no such thing as 100% anti-fraud protection. But you can substantially reduce your risks by following these rules:
Application of these methods and tracking of metrics through MyTracker have helped many companies save hundreds of thousands of dollars a year, while also expanding their advertising coverage and significantly increasing new user LTV.