How to Spot the Most Prevalent Types of Mobile Install Fraud

May 16, 2018 | Fraud article by Lomit Patel
How to Spot the Most Prevalent Types of Mobile Install Fraud

In our modern mobile user acquisition world, nothing is certain but death, taxes, and install fraud. As soon as advertisers caught up with incentivized install fraud and bot farm schemes years ago, fraudsters quickly devised new mechanisms to continue to swindle advertisers out of their budgets. In fact, according to TUNE’s Global App Install Fraud report, nearly 8% of app installs are fraudulent, costing marketers up to $2 billion in 2017.

In the past six months IMVU decided to only work with mobile ad networks and affiliate channels on a CPA (cost per action) basis, where we would only pay them for acquiring new payers (pushing the payout further downstream from installs to payers to reduce our risk). This looked like a good deal for us on the surface, but we soon started seeing our organic installs payer trend declining concurrently as these CPA partners were scaling up on our campaigns.

To figure out if this was fraud, we recently ran a simple test and paused acquisition campaigns with all the CPA ad networks and affiliate channels that were not providing adequate transparency and delivering varying degrees of anomalous traffic. In general, our observations were massive click volumes and strong ROI performance across all publishers. Interestingly, when campaigns were paused beyond the attribution window, we noticed nearly no significant fluctuations in absolute volume, implying that we may have been victim to organic attribution fraud. This realization led us to take immediate action to deploy safeguards and develop methodologies to prevent future occurrences.

While there are a range of mobile app install fraud detection and prevention solutions in the market today, at IMVU we are building an in-house system to flag questionable traffic. Here are some of the most prevalent types of fraud that we have encountered and are guarding against.

Automatic redirects: the most obvious and least sophisticated fraud technique these days is the automatic redirect. As soon as an ad is loaded or script in the unit runs, the user is redirected to the app landing page without an actual click. In this case the user follows through and installs the app within the allowed attribution window, the install is credited to the fraudulent ad. This type of fraud can be detected with improbably low (<0.1%) click-to-install rates due to the undesired destination, and a long, consistent tail of installs all the way up to the end of the attribution window.

Click stuffing: is a fraud method that functions similarly to auto-redirects, but works by silently triggering fake clicks in the background of a device usually via a currently installed app. The fake clicks serve to claim attribution for a fraudulent source while the user would have discovered the app by other means, whether paid or organic. Because the install and user are real, they appear as quality users, which often slip through marketers’ optimization radar due to strong performance. The giveaway signs of click stuffing are repeated clicks from the same IP address over a period of time, improbably low install conversion rates, and “too good to be true” user performance that rivals organic payer conversion and LTVs.

Click fingerprint spamming: this technique is when a high volume of clicks is sent to tracking links typically via scripts in order to match the “fingerprint” of a device that is driving a legitimate install. Fingerprint spamming exploits the vulnerability of the probabilistic nature of the fingerprint matching methodology used by most mobile ad tracking providers when the advertising ID is not present, in cases such as tracking mobile web traffic. It functions similarly to click stuffing in that it claims attribution for users that would have been organic. To detect this type of fraud, we monitor for massive volumes of clicks with improbably low click-to-install conversions, long conversion timeframes, and organic-level user quality.

Click injection: occurs when users willingly install malicious apps which are usually disguised as a utility app or simple gaming apps. These apps operate in the background of the device and trigger fraudulent clicks after they detect a new app being downloaded in order to intercept and claim credit for the install before the app is opened for the first time. Because click injection delivers fraudulent clicks with precise timing, this type of fraud bypasses low install conversion rate checks. Instead, we monitor for this type of fraud by again checking for irregularities in click-to-install times, but this time for consistent installs below the typical timeframe. In addition, users intercepted by click injection also typically display performance that is too consistently strong compared to standard display ads.

While this is by no means an exhaustive list of app install fraud and simply the most common forms that we encountered recently at IMVU, there are ways to reduce your susceptibility. One approach used by many high-volume advertisers is to work with a third-party fraud detection tool (like Appsflyer Protect360) to monitor and filter traffic for anomalies. This can be effective due to the sophistication of detection algorithms as well as their multi-advertiser view of fraudulent traffic. However, the simplest way to minimize fraud is to take the route of avoiding ambiguous, non-transparent channels and buying media directly from reputable sources.


Lomit Patel heads up the Growth team at IMVU which is responsible for driving user acquisition, retention and monetization across all platforms (iOS, Android, and Web). Lomit is a seasoned growth marketing executive with expertise in building and scaling up customer acquisition, retention and monetization channels at early and mid-stage consumer tech startups. Learn more about Lomit.

Previous Post|Blog home|Next Post