Types of Mobile Ad Fraud and Mobile Fraud Metrics

Fraud means various imitations aiming to meet advertisers’ KPIs. These include bots, click farms and other technologies which strive to eat up your advertising budget without bringing in real users. In addition to hardcore fraudsters, such tricks are also used by advertising platforms, aggregators and marketing agencies in order to achieve the required targets in traffic volumes and quality.

Fraud has been present for as long as the mobile advertising market has been in existence. This has emerged as a major problem in recent years, when the industry saw swelling spends while bots and other scam techs got much smarter. Today, major advertisers are forced to continuously audit their traffic and make their requirements more and more stringent.

For instance, Uber filed a lawsuit against five advertising agencies that deliberately provided low-quality traffic. In just two years, losses amounted to USD 70 m. The company traced the fraudulent traffic back to its sources and turned off two-thirds of their annual advertising budget – around USD 100 m of savings. The number of real users coming to the app via ads remained constant.

According to CHEQ and the University of Baltimore, losses from ad fraud totaled USD 23 bn and a whopping USD 35 bn in 2019 and 2020, respectively. Online ad fraud turned out to be a more lucrative business than credit card fraud, even though the annual spend in the credit card segment is USD 3.32 tn and in online ads only USD 333 bn.

Fake ads plague everybody in the industry: marketing agencies, advertisers, and advertising networks. Fraud of all kinds affects anyone who deals with in-app advertising. If you think you have never met fraud, more than likely you are unaware of it yet.

Types of Mobile Ad Fraud

There are five types of mobile fraud:

  1. Click flooding / Click spamming
  2. Install hijacking / Click injection
  3. Emulators / Click farms / Bots
  4. Restricted traffic
  5. SDK spoofing

Click Flooding / Click Spamming

What is click flooding?

A type of mobile fraud where the source continues to send clicks on the expectation that one of these clicks turns out to be the last one, which is counted by the system as a mobile app install initiator. This results in a wrong install attribution as the source appropriates installs from other platforms. If an app has steady organic traffic, such fraud proves to be immensely efficient.

Why is click flooding dangerous?

Fraudsters capture the most valuable users from organic traffic rather than those driven by ads. These tend to be higher-quality clients with a good LTV. However, click spammers take credit for bringing in such valuable users. Being rewarded for what they do not deserve, they also supply misleading marketing data.

How to track click flooding?

Some signals pointing to this type of fraud are:

  • the rising number of installs by a specific partner does not result in a higher app audience as a whole;
  • one or more partners have unusually high quality metrics; or
  • the CR (conversion rate) rate is very low, less than 0.1%.

To identify a crooked partner and prevent click flooding, one needs to use a mobile tracker and segment app installs by CTIT (click to install time), conversion, and attribution. In this case, CTIT turns out to be surprisingly long (more than 60 minutes as a rule) and the conversion rate is very low, as the source generates a lot of clicks. One can also analyze user actions pre and post install. If you detect several identical clicks being made quite frequently, you are probably looking at a click spamming fraud where one of these clicks hits the target.

Install Hijacking / Click Injection

What is install hijacking?

A type of mobile fraud using scumware on a user device. This fraud involves intercepting a user’s last click when an app is being downloaded.

Click injection is an advanced version of click flooding. Fraudsters use scumware implanted in the system and see the device starting to download a new app. Right after the start, they imitate an ad click and take credit for an organic install in order to get paid for it.

The principal difference between click injection and click spamming is that the former continuously generates user clicks and the latter hits the target and directly generates a click only when download starts. In the case of click spamming, CTIT will be abnormally long, while click injection will make it unusually short.

install hijacking

Why is install hijacking dangerous?

Such scams not only bleed advertisers but also directly affect the conversion rate. They mislead you about the actual performance of various advertising channels. Marketeers and campaigns they are in charge of end up going round in circles. They invest more and more in fraud-tampered ads that bring in almost no extra installs in the end.

How to track install hijacking?

This fraud can be detected using the same metrics as in click spamming. If your fraud detection tool returns unusually high quality metrics while the CR is very low, this might mean that you should take a closer look at such an advertising channel. Click to install time (CTIT) is also important. Injection scumware needs to respond rather quickly to take credit for a user. That is why the fraud detection tool will display installs with extremely short CTIT values, which is not typical of human behavior.

Emulators / Click farms / Bots

What are bots and click farms?

Well-known bots and click farms can perfectly imitate installs, clicks, and other (even in-app) user activities, but they bring in no real revenue. Today’s bots are even capable of making purchases for a small amount (smaller than the reward for an install) or reaching level 5 in a game (if you use this as the attribution threshold).

emulated devices bots click farms

Why are bots and click farms dangerous?

Advertisers might think they are buying real customers. They can even see some in-app activity! However, they are merely burning cash.

How to track bots and click farms?

This fraud can also be detected using a fraud detection tool. Though successfully imitating certain user actions, bots and click farms are unable to simulate human behavior as a whole. In a matter of a few weeks, it becomes evident that the traffic quality fails to meet expectations. These would-be users have a lower retention rate and an excessively high CR but lack real purchases. In addition, their actions and retention activities often show repeating patterns that help detect them.

Analyzing user geodata also helps prevent click farm fraud. If most of the locations differ from the target country/are outside the target country, you need to take a closer look at your partner. It’s the same when analyzing installs by device name and type, click farms and bots typically report the lowest-end devices or brands which never existed.

Restricted Traffic

What is restricted traffic?

Advertisers often put restrictions on traffic types to be used. Examples include branded content or incent traffic. But platforms can pursue promotions in breach of the advertising order, hoping that the advertiser will never find out.

restricted traffic ad fraud

Why is restricted traffic dangerous?

Brand risks (traffic comes from illegal or semi-legal channels), wasteful spending of the advertising budget.

Some crooked partners may employ misleads (misleading advertising) or adult advertising (using 18+ content). Though of little help in bringing in a high-quality audience, these two tricks might result in bad feedback and negative brand perception as a whole.

How to track restricted traffic?

This fraud can not be easily detected: since advertising platforms may run restricted campaigns under the radar, it may not be possible to detect those right away unless you come across a misleading creative or a context ad of your product on your own. Furthermore, you may find recent user complaints on the AppStore regarding misleading information.

SDK Spoofing

A code (eavesdropper) is planted in the app or the server to simulate installs and other activities.

SDK spoofing

What is SDK spoofing?

SDK spoofing is a type of fraud using bots embedded in the server or the app code to simulate installs, clicks and other signals, thus generating fake traffic or creating a semblance of activity inside the app. This type of fraud also includes emulation of SDK functions straight from the server side.

Why is SDK spoofing dangerous?

Once embedded in the app code, the malware can emulate tens of thousands of fake installs to claim reward for them, with the advertising budget quickly spent on non-existent users.

What makes this type of fraud particularly harmful is that the malicious code can find its way from the server not only into one app but into thousands and hundreds of thousands of devices simultaneously. The number of generated actions will depend solely on the fraudster’s will and boldness.

How to track SDK spoofing?

There is currently no way to fully protect yourself from this type of fraud, but it is worth the effort to check out the latest news and updates on the detection of similar networks

This type of fraud is most frequently encountered in apps with poor security infrastructure. Encrypted SDK with a closed source provides protection from decompilation and code manipulations.

Mobile Fraud Prevention Using myTracker Metrics

myTracker is an easy-to-use fraud detection tool that helps save a lot on advertising. All you need is to gather data using the tracker with a particular focus on the following key metrics:

fraud detection metrics

Click Fraud Metrics 

  • Stacking clicks: number of devices referred from the advertising partner that registered two simultaneous clicks on ad banners in different apps.
  • Quick installs: number of devices with an abnormally small attribution window, i.e. an extremely short Click/View Time to Install.
  • Attribution fraud: number of devices demonstrating aberrant behavior when dealing with partner ads.
  • Deferred installs: number of devices with the same abnormally big attribution window, i.e. an extremely long Click/View Time to Install. A long attribution window per se does not always signal fraud, but this metric deserves closer attention when there is a large number of such devices.
  • Low CR: number of devices referred from advertising campaigns with an abnormally low conversion rate, where CR is the ratio of installs to ad clicks.

Hardware Fraud Metrics

  • Emulated devices: number of devices referred from ad campaigns with mismatches in certain parameters. For example, their OS version or screen size might conflict with the device model.
  • Suspicious devices: number of devices with hardware properties changing from launch to launch.
  • Root/Jailbreak: for iOS – devices with detected jailbreak, for Android – devices with detected root access.

Behavioral (in-app) Fraud Metrics

  • Aberrant behavior: number of devices demonstrating abnormal behavior indicative of bot activity in their app interactions.share of fraud detected

Low-quality fraud that can be identified through hardware metrics currently accounts for 46% of all fake traffic, with the share of smart fraud growing from year to year. Smart fraud can only be detected through behavioral metrics, which help tell app bots from real users. Click metrics can also be helpful, as they identify fake attributions, click injections, and low-quality traffic from ad partners.

How to Protect Yourself from Fraud?

There is no such thing as 100% anti-fraud protection. But you can substantially reduce your risks by following these rules:

  • Do not work with unverified partners with a fraud track record.
  • Always insist on maximum transparency and getting access to partners’ advertising accounts.
  • Use third-party anti-fraud systems and trackers that can quickly identify fraud.
  • Compare traffic quality vs benchmark (internal) purchases as a basic analytics tool.
  • Build audience overlaps for traffic sources.

Application of these methods and tracking of metrics through myTracker have helped many companies save hundreds of thousands of dollars a year, while also expanding their advertising coverage and significantly increasing new user LTV.

Start protecting your ad budgets from fraud with Fraud Scanner for free!

Contents