How to Avoid Fraud in Mobile App Marketing – Click Injection and Click Stuffing

After we released the previous article on April 2016, which reviewed three types of fraud, two additional types of fraud popped up, literally, and became more and more common – Click Injection Fraud, and Click Spamming Fraud. Both are actually attribution fraud, meaning, they steal the attribution of real users.

The biggest problem with these fraud types is that it is extremely cheap to generate them, while it costs lots of money to fight them. We, at Performance Revenues, are spending thousands of dollars per month to do so.

The issue is that app developers, networks and media buyers are not familiar with these type of fraud, and by not knowing about them – are accepting them unintentionally. App developers are paying money they shouldn’t be paying, networks are not being trusted, and are not getting additional budgets, and third party tracking platforms are spending more and more money and efforts in order to discover this fraud in advance.

Therefore, in my opinion, the only way for us to beat this fraud, is by sharing information.

The two fraud types below, unlike the ones I mentioned in my previous article, are more relevant for “big” app developers, who get lots of users (either organically and/or through User Acquisition). However, also small/medium developers should be aware of them.

Let’s start:

Click Stuffing Fraud

The main idea behind this type of fraud is to generate as many unique clicks as possible. By doing that, the fraudster “marks” {or “tags”} the users as if they are his own (meaning, as if he brought them to the app developer), while most likely, these are users who download the app not related to the fraudster’s activity, and just because the fraudster used a forced click, the install was attributed to them.

How to identify it?

As Adjust wrote in their great article, the best way to find such fraud, is by measuring the TTI (Time to install). If, indeed, there was click spamming involved, you should see a random distribution of the TTI. It makes full sense – the click is random, and doesn’t “know” when the user is about to download the app.

One way for the fraudsters to fight this identification, is by sending the click each day. By doing so, the app developer will see that most of the installs occurred on the first day, and can think that the traffic source is legit.

So, what shall you do?

1. Check the distribution of the TTI:

a. If you see random distribution, pause the source immediately

b. If you see that most of the installs came on day 1, and as days go by you get less and less installs, check how many of the installs came after just one click:

i. If most installs came after one click, the source is probably legit

ii. If you see that most of the installs came after more than one click, pause the source immediately

2. Set your attribution platform fingerprinting window to 24 hours

Click Injection Fraud:

Click injection fraud, unlike the click stuffing, is less known, and much more sophisticated. However, it is possible to find it, once you are aware of it.

I want to emphasise: In this type of fraud, the fraudsters are, in many cases, huge companies, their apps are in the top charts on Google Play, and not just a one man fraud. From what I know – Allegedly, Google may have already been notified about this issue, and are trying to fight it. However, they are keeping these apps in their stores (and even in the high ranking spots), so I’m not completely sure what is going on there.

The fraud company distributes an app (most likely a utility app, which runs in the background of the device). The malware app recognises when the user starts downloading a target app. Once the user finished installing the target app, the utility / malware app in the background fires a forced click on the tracking link, and when the user opens the target app, he is being attributed to the fraudster.

How to identify it?

Because the forced click is being made right before the “open” event, to find this fraud, you should look for a very short TTI (usually: Less than 30 seconds between the click and opening the app). Why 30 seconds? Because it makes no sense that a user saw an ad, clicked it, downloaded the app and opened it within 30 seconds*. Technically, this is almost impossible.

So, what should you do?

This type of fraud is relevant only for Android devices, no need to check iOS traffic.
If you buy traffic with transparency, and see that a utility app brought you amazing traffic for a completely different app type (for example: battery booster brought amazing traffic to Talking Tom), be suspicious and check it.
If you buy traffic with no transparency, the only way to find about it is to check all of the sources.
How to check: Pull a TTI report for these sources. If you see that the avg. TTI is around 30 seconds or less, it means that you are a victim of malware fraud, and you need to pause the source immediately.

*Having said that – in some cases, when a server to server is used, since the servers response can be slow, it will reduce the TTI. The numbers that we got show that in 30% of cases, short TTI is due to the server to server delay, and not fraud.

We, at Performance Revenues, are doing everything in our power to fight fraud. We offer our clients a full umbrella of fraud prevention, by using a third party tool to find bot fraud, our own KPI Hero to find incent traffic, referral tool in order to find publishers who re-broker the app and ongoing TTI analysis, to find the fraud patterns listed above.

Contact Us


Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/36/4488936/html/performancerevenues.com/wp-content/themes/simpla/partials/top.php:32) in /home/content/36/4488936/html/performancerevenues.com/wp-content/themes/simpla/comments.php on line 3

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/36/4488936/html/performancerevenues.com/wp-content/themes/simpla/partials/top.php:32) in /home/content/36/4488936/html/performancerevenues.com/wp-content/themes/simpla/comments.php on line 3