Fraud in Mobile app industry


  • The top 10 highest volume networks generate 84% of all fraudulent clicks.
  • 27% of these top 10 networks’ installs are fraudulent.
  • Some identified networks had over 50% of their clicks flagged as fraudulent.
  • 78% of fraud includes a legitimate install being hijacked by bad traffic.

Fraud is generated by bots, malware, or other techniques that come from various sources. Most fraud generates clicks that hijack legitimate installs so the fraudulent entity wins the attribution reward.



Networks/sub-publishers (sites) with high click volume may be taking legitimate and organic installs and falsely winning attribution.

  • Self-clicking ads: An app sends click activity data in the background.
  • Impressions: Impressions sent as clicks.
  • An entity automatically sends users to a sub-publisher to which they didn’t intend to go.
  • Click flooding (most common): In channels using fingerprint attribution, a network may credit a user’s click with another’s install based on spurious clicks. This often takes organic installs or those from legitimate sources.

When you compare your networks by clicks, installs, and click-to-install (CTI) rates, you can see whether the number of clicks outweigh your installs. If they do, start to question whether it’s fraudulent.


Analyze your campaign data using a fraud reporting system that flags high CTI by network, sub-publishers, and potentially by IP address to blacklist problematic sites. Tighten, or in some cases eliminate, fingerprintbased attribution on your clicks.


These are devices showing an excessive number of clicks per install.

  • A sub-publisher may be selling trac at a low cost per mille (CPM) for impressions, so if a user ever installs, that sub-publisher gets the attribution. Because marketers typically pay networks on a cost per install (CPI) basis, a hijacked device is fraud focused at the network.
  • Click flooding: A device may have been hijacked with malware unbeknownst to the user or automated bots are sending clicks from a remote service.
  •  Naive click injection: A user of a device has downloaded an app that is sending clicks in the background.

Reports showing an unreasonable amount of clicks at the device level


Use a fraud prevention tool that detects an unreasonably high number of clicks at the device level and has the ability to blacklist a device ID. Establish a baseline number of device clicks for your app and campaign. Then, use a verification tool that allows you to cap click volumes.


The time between the click and the install, also called the time to install (TTI), is another important indicator in identifying fraud. Although a small number of outliers are inevitable in a normal population, a majority of users will fit into the standard TTI decay curve.

Unwanted, incentivized traffic, click flooding, or click injections may be the cause.

Devices with high rates of extremely short TTI will emerge on sub-publisher sites.


Use a fraud prevention tool that flags sub-publishers with abnormally high TTI rates. Also, there may be incentivized traffic when the install rate is similar to that of previous organic (unattributed) traffic.
Ensure that your lookback windows correlate with your mean TTI so that you’re capturing the majority of your installs but not leaving the window open too long for low quality ones. In addition, make sure that your fingerprinting logic is in check.


Multiple ads are stacked behind a legitimate one. When the user clicks on the top ad, the hidden ads register the same click even though they weren’t viewed by that user.

  • Click stuffing: Stacked ads register the same click when a user clicks on the visible ad.
  • Impression stuffing: An impression sent to a click endpoint is registered as a click and happens at scale.
  • Viewability fraud: Impressions stacked within an ad container may be reported as “viewed.”

All those clicks are sent at the same time, which means they arrive with the same timestamp. Identify ad stacking by monitoring for clicks coming from the same device with identical timestamps


Use a good fraud prevention tool that flags sites with devices containing ads with the same timestamp plus the ability to blacklist oending sub-publishers.


Geographic outliers consider the distance between a click and an install. For example, a group of clicks in the U.S. with installs occurring in Indonesia are considered abnormal.

Click or install spoofing happens when bots generate fraudulent clicks or installs.

Not all devices with a geographic difference between the click and the install are fraudulent, but groups of them should be reviewed.


Recognize abnormalities by paying attention to discrepancies in the click and install locations of your users. Use a fraud prevention tool that flags geographic outliers.


Compliance Fraud describes all fraud schemes that use loopholes in the Insertion Order (IO) contract between advertiser and supply side partner. This includes (but is not limited to):

  • False targeting (especially geo-based targeting)
  • Mixing in undesired traffic sources (incentivized, adult, redirect/pop, etc.)
  • Intentful over delivery
  • Unauthorized rebrokering of offers

Usually, this type of fraud is mixed into a campaign’s legitimate delivery, so as not to raise an advertiser’s suspicions


The act of willful mistargeting by the supply-side partner or their vicarious agent, in order to be awarded with a higher commission tied to the campaigns targeting rules. Includes (but is not limited to) country, demographic and audience targeting.



Traffic driven to an advertiser’s campaign, in which the advertiser is explicitly named as undesired for the fulfilling of the IO. Typical traffic source exclusions are incentivized traffic1, adult traffic2, or otherwise un-approved creatives.




Wilful over delivery on the campaign limits on the part of the supply side, usually aimed at being paid while being over budget. In most cases this starts slowly but becomes bolder over time when advertisers show that they are willing to pay for over delivery especially if the advertiser pays full price.



This is one of the greatest risks in the performance advertising space. Rebrokering between blind networks is problematic, as it removes control on who is delivering on a campaign and how it is done. Usually, the IO breaches mentioned above are a lot more pronounced on rebrokered campaigns, because the feeling of responsibility is diluted (as there is no direct partnership at risk).



Technical fraud schemes are defined by their efforts to try and manipulate an attribution and analytics platform AAPs into incorrect attribution. Technical fraud schemes can be separated into two sub-categories.

1. Install/conversion fraud – where conversion points that were never actually reached, like Fake Installs or fake revenue events, are pushed into the system to trigger an attribution for monetary gain.

2. Attribution fraud – where fraudsters try to manipulate attribution of legitimate conversion events to sources that have no hand in converting the customer to take the desired action, by forcing, faking or automatic customer engagements (impressions, views and clicks) without actual interaction by the customer.

Such schemes include Click Spam, Click Injection and Fake Installs. Let’s look at these in more detail.


Also known as “Click Flooding”, “Click Fraud” or “Fake Clicks”, this term describes any fraud scheme that executes clicks on behalf of the device’s user without the user’s knowledge, consent or intent.

There are two types – high-frequency and low-frequency click spam.


Fraudsters with little reach (meaning a small active user base for an app or mobile web content) improve their chances to cash-in on random installs by spamming their users at high frequency, hoping to take the last click inside the attribution window.

The very low conversion rate originates from up to hundreds of clicks a day for the same advertisement (tracker) on the same device (fingerprint/device ID).



Fraudsters here have a large active user base for their app or mobile web content, and receive many unique visitors. Because of this, they can execute forced clicks less often, but still successfully create revenue on the random chance that users will convert for the apps the fraudsters are “running campaigns” on.

Conversion rates for this kind of exploit are exceptionally low because a high amount of devices (fingerprint/device ID) are tagged per advertisement (tracker).



Click injections are a more sophisticated approach to stealing attribution from organics (or paid channels, for that matter). They work by generating a click that did not originate from a user interacting with advertising with the intent of learning more about the advertised product. The defining feature of this approach is that a single click is enough to get the job done, as it will be injected after the user has already made the decision to download and try a new app.


The Android broadcast ACTION_PACKAGE_ADDED is used to receive a notification about a new app being installed on a device the fraudsters have their app installed on. From the broadcast, the perpetrator can determine which app has been installed, and look up if they have a matching offer link (click or impression).

Then, they fire it either directly from the respective device or server-to-server. The click will be processed and used for attribution. As a result, the perpetrators can steal organic install attributions as well as attributions to paid sources.


In this case, the perpetrators subscribe to a Google Play content provider (SQLite DB, part of the Android OS) in order to get notified about any app downloads being started, gaining access to all the data needed to inject a click for the right target app


This fraud scheme deals with any type of install where the sole purpose of that install is to trigger a commission (commonly CPI/CPA) for the fraudster. There is never a real user or a real device (as in belonging to a real user and used for a multitude of tasks) involved in these – actually, the devices are virtual or emulated.

This fraud scheme originated from similar practices on desktop web/affiliate marketing, where conversion points were faked to score commissions. Back then – and even now – fake leads have been playing a big part in the fraud composition and even fake sales have been created.

In the mobile app environment fake installs make up the majority of fake conversion fraud that is currently stealing budgets, but there have also been cases of fake in-app purchases (IAP) that lead to (cost per action) (CPA) payouts


Fraudsters use commonly available device emulation software in virtualized environments (on server hardware) to fake installs in an effort to claim advertising revenue to great effect, programming scripts that make the emulator create a new random device with a fresh Device ID.

On that device, they can then create a user, and have that user engage with advertisements. The emulated device will download the target app from an app store (or from local storage to cut down on traffic cost), thereby triggering an install. Finally, the emulated device will open the installed app to trigger an install event, which is then transmitted to the attribution provider

Sophisticated fraudsters might even go as far as storing the session for later use to create third or seventhday retention by opening another session at the desired time.

Usually, the perpetrators will route all traffic from the data center through different anonymizing services such as VPNs, public or private proxies or the TOR network or any variation thereof.


This scheme is similar to the above ‘Fake installs from Emulation’. In this variation, the fraudsters actually have physical devices present at their place of business. Instead of scripts providing the action input for emulated devices in a device farm, the action might be human interaction (with fraudulent intent) or partial scripting of the devices through a controlling computer.

The devices then get regularly reset to different possible extents, e.g. full factory reset, Advertising ID reset or reapplied custom ROM, in order to trick AAPs to register multiple installs on the same device as new installs.

Again, the traffic from these device/install farms will be routed through different anonymizing services such as VPNs, public or private proxies or the TOR network or any variation thereof.


SDK spoofing (or replay attacks) is a form of mobile performance fraud that consumes an advertiser’s budget by generating legitimate-looking installs without any real installs occurring.

This type of fraud evolved very quickly and dramatically during the course of 2017. This is because SDK spoofing has become harder to spot than fake installs generated in emulation or install farms, as the devices used in this scheme are real – and so are normally active and spread out.

This type works by fraudsters using a real device without the device’s user actually installing an app. The perpetrators’ main approach was to break open the SSL encryption between the communication of a tracking SDK and its backend servers, typically done by performing a ‘man-in-the-middle attack’ (MITM attack). Now, the most popular approach is to use a proxy software (e.g. Charles Proxy)

After completing the MITM attack, fraudsters would then generate a series of test installs for an app they want to defraud. Since they can read the URLs in clear text format for all the server-side connections, they can learn which URL calls represent specific actions within the app, such as first open, repeated opens, and even different in-app events like purchases, levels up or anything else being tracked. They also research which parts of these URLs are static and which are dynamic, keeping the static parts (things like shared secrets, event tokens, etc) and experimenting with the dynamic parts, which include things like advertising identifiers or other data specific to the device and the particular circumstances.

Now, thanks to callbacks and near real-time communication detailing the success of installs and events, the perpetrators can test their setup by simply creating a click and a matching install session. If the install doesn’t go through, then there is a mistake in their URL logic. If it is successfully tracked, they’ve cracked the logic

Once an install is successfully tracked, the fraudsters will have figured out a URL setup that allows them to create installs from thin air. Methods continue to change – we see fraudulent device data matching data from real-device traffic, consistent over a multitude of device-based parameters (and, later, all device-based) parameters.

Now, not everything is fake. Fraudsters started to collect real device data. They did this by using their own apps or by leveraging any app they have control over. The intent of their data collection is, of course, malicious, but that does not mean that the app being exploited for data is purely malicious or could even be found out as malicious. The perpetrator’s app might have a very real purpose, or it might be someone else’s legitimate app.

The perpetrators simply have access to it because their SDK is integrated within it. Regardless of the specific circumstances, the fraudsters have access to an app that is being used by a large number of users.

Having a source (or even multiple sources) that generates real device data makes the fraudsters’ task simpler. They no longer need to randomize or curate large amounts of data, because they have access to the real thing.

This evolution went hand in hand with a second impactful step in how much more sophisticated SDK spoofing became. The URLs no longer called from data centers, or tunneled through VPNs. Instead, they were proxied directly through the app the perpetrator had access to on an unsuspecting user’s device.

This means a fraudster’s server runs a script that automatically creates a URL that will trigger us (or any attribution company) to track an install or event. Instead of sending this URL directly to our servers (or through an anonymizing network as they used to) the fraudsters now send it to the app (the one the perpetrators have access to) on a user’s device. This app then executes the URL on the user’s device.


Before taking preventive measures, it is important to understand the types of fraud in Performance Marketing


Squatting means creating several domain names that are close in their names of popular websites with a difference just in one letter, that is either missed or misspelt. Names usually correspond to the most typical typos that users do. When visitors go to a site through an accidental typo, they are greeted with a page that looks like a genuine site and offers products to purchase there, diverting sales from the original merchant.


The fraud that we all regularly receive in our email boxes, intended to fake a legitimate brand, deceit users and cheat them out of money. Spam email may be the number one scourge of the internet age. While most people detect and delete these rubbish straight away, there are still enough of those who fall for that and perform some СТА acts, thus allowing this type of fraud continuation.


Inflating the number of clicks through unethical ways like ‘Bot clicks’ or merely a large group of low-paid workforce constantly clicking on ads. Clicks faking is probably the most well known, and the least creative affiliate scam, bred on the CPC pricing model. Repeated clicking on a link drains funds from merchants without turning it into a profit. Mostly this kind of fraud is produced by either greedy affiliates looking to inflate their income or by competitors looking to harm a merchant directly in the pocket.


Here fraudsters divert traffic from an affiliate’s site, bypassing the intended merchant. In practical terms, it is often achieved by creating fake affiliate links on sites that further mislead customers. When buyers are redirected to a faux site, they can still make a purchase, but affiliates won’t receive their commission.


Also known as affiliate parasitism. The idea behind this fraud scheme is adding multiple false cookies that hinder affiliates from earning commissions for the sales they provoked. Instead, the fraudsters make sure to place their cookies last, in this way getting paid based on the “last cookie counts” principle.


One more common ad fraud method that does not display ads. By ad stacking, we mean placing more than one ad in the same ad spot. As a result of ad stacking, only the top ad is visible for users, while advertisers are not aware of this and continue paying for all ads.


Pixel stuffing is a practice of stuffing ads into a single pixel. Real users trigger impressions, the amount of which can also be seen in statistics. However, these users never actually see any ads because a single pixel is impossible to spot.


Domain spoofing is the practice of selling ads either on low-profile websites, by falsely presenting them as premium, or on false copies of what looks like a genuine affiliate site’s content. Advertisers think their ads are displayed on trustworthy, profitable websites, but instead, they end up on irrelevant ones. Domain spoofing hurts both advertisers and publishers. Advertisers risk having their offers placed next to unwanted content; publishers lose their earning to scammers’ pockets


It is very important to know your publisher, DSP & Ad Exchange while adding new clients to your arsenal.


It’s always easier to prevent any possible loses rather than to clean up afterwards. Thus be careful with adding new publisher, DSP & Ad Exchange. It might be time-consuming to check each individual, but it’s worth to be prioritized. As at this point you can avoid any loss in future. Check their websites, brand alignment with your programme, relevant content profiles in social media and different portals. If you observe some discrepancy, it’s an early clue.


Data can tell you a lot. Monitor the performance of ad campaigns for unusual changes, it can’t skyrocket out of nowhere. The following tips can help you to avoid fraud.


Valid URLs indicates the credibility of affiliate sites. In the same way, referring URLs can give out the suspicious sites and direct publisher managers to check the websites’ validity




Multiple transactions received from the same IP address should arouse suspicions and immediate verification measures.




A critical moment, and also the one which you have less control of, as networks might instantly add hundreds of publishers without carefully checking their validity.



Devote more time revising metrics that require human involvement, such as inquiries, conversions or purchases. If you observe sudden traffic surges and quick increases in affiliate-referred transactions. If there is some, then fraud is likely to have occurred, and you need to interfere



Revisiting and updating the program terms and conditions with publishers, DSP’s & Ad Exchanges. In order to keep it always up-to-date and avoid being trapped in a loophole.

Don’t hesitate to act upon fraud in any form

Upon detecting fraud don’t hesitate to send violation warnings to publishers or terminating publishers from the program. These are the must-follow recommendations. However, even they cannot guarantee absolute protection from fraud. Occasionally you can recognize and block suspicious publishers, but when it comes to fraud, it’s difficult to always be on the lookout.

The chance that you would miss something is relatively high. By doing the actions described above, you only minimize the risks from fraud, but do not completely eliminate it.


To ensure full protection, you had better choose professional help – fraud protection tool. Fraud-combating tools are developed to ease the process of analyzing your reports and activity logs enough time in advance to prevent any possible fraud. It will provide you with a real-time report on sudden traffic surges, rapid growth in specific affiliate referred sales or leads and any suspicious activities.

Protection tools & analytical platforms have multiple feature to secure the mobile campaign fraud. Some of them are listed below:

  • Traffic Verifier to cap click and impression volume before running a campaign
  • Fraud Console to receive real-time reports of data outliers
  • Global Fraud Blacklist to automatically eliminate known fraudsters from your campaigns
  • Configurable Attribution to define lookback windows and segment desired traffic
  • Multiple other features to exclude fraud traffic & their sources.