App Marketing

Click Injection: One of three kinds of mobile UA fraud in 2017

Andreas Naumann
Fraud Specialist
Topics

We often get the question: isn't fraud prevention a bit of a cat-and-mouse game?

And, in reality, the answer is yes. Even in our regular, day-to-day fraud prevention work, this is obvious. As you turn on any of the filters in our Fraud Prevention Suite for the first time, chances are that the filters will catch some volume of suspicious attributions. But as the minutes and hours go on, the volume rapidly drops. This is a mouse caught in the open when the light goes on. The fraudster – quickly noticing that as they are no longer given credit for any installs, and as such are seeing their CPIs plummet – redirects their attentions to other campaigns and other apps. There’s more on this in a previous blog post.

But in the big picture, we’ll also see fraudsters taking steps into new directions as fraud prevention becomes more common. Now, almost a year since we launched the first fraud prevention suite for mobile user acquisition, we’re increasingly finding a new approach which is set to take the stage in 2017.

This new scheme, click injection, is a new and more sophisticated form of click-spamming. By publishing a low-effort Android app which uses something called “install broadcasts”, fraudsters can detect when other apps are downloaded on a device and trigger clicks right before the install completes. The fraudster will receive the credit for (typically organic) installs as a consequence.

We described the flow in a bit more detail in our recent infographic.

"Step-by-step: How click injection fraud works"

Essentially, the fraudster uses a junk app to hijack the user’s device at just the right time – and with just the right information – to create a legitimate-looking “ad click” and thus get CPI payouts.

What does this mean for marketers?

Fake ad engagements not only siphon off advertising budget that could have reached more people. Worse, conversions such as these result in marketers inaccurately believing certain paid campaigns resonate better with users than they actually do.

The data becomes dirty: numbers-driven conclusions that marketers reach are then based on data that contains systematic inaccuracies.

This can mean that advertisers continue to invest in advertising that is relatively ineffective, potentially diverting money from better-placed and better-designed campaigns.

What exactly are “install broadcasts”?

Every Android app broadcasts status changes to the device, including to other apps. These status broadcasts are sent when apps are downloaded, installed, or uninstalled. This feature is handy for creating a tight connection between different apps, by allowing apps to e.g. streamline login with a deep link to a recently installed password manager, or give users more direct options to transfer into a specific web browser, and so on.

Any app can “listen in” on these broadcasts.

How can it be detected?

Click injections of this kind, as with many types of mobile fraud, can appear like legitimate advertising interactions to marketing analytics systems. This makes engagements faked with click injection very difficult to identify individually.

However, when looking at ad campaigns as a whole, a pattern emerges.

These patterns are visible in the average time it takes between a user clicking on an ad and installing the app. In mobile analytics, we usually say “install” to refer to the first open. Measurement SDKs can’t measure installs any sooner than this because the SDK code can’t run until the app is opened for the first time.

So there’s usually a certain lag between a click and an install, measured as the click-to-install time. This lag is a bit different for every user and for every app. A startup intern on a deadline to send across a contract will quickly download a lightweight scanning app and open it as soon as she can, whereas the subway rider might be off the train before Angry Birds has finished downloading over the shaky 3G connection.

Regular click-to-install times are normally distributed. There’s an app average determined by the size and type of the app, and a certain deviation around that mean. It could look like this:

"A typical campaign click-to-install time distribution"

If you’ve read some of our previous work over the last year, you may also be familiar with how click-spamming can be identified because of how the click-to-install time distribution flattens out.

This is the basis of Distribution Modelling, which keeps tabs on the click-to-install time distributions, identifies the outliers, and rejects attempts at click-spamming on-the-fly. Distribution Modelling is one leg of our Fraud Prevention Suite.

Click injection skews the distribution in the other direction – triggering “conversions” that appear to have happened with extremely short time-to-install lags. This is because the fraudster only injects the click once the app has been downloaded. The user behind the hijacked device will open the app normally, but the “click” will appear to have been made with a much shorter click-to-install time lag.

Predictably, this comes out as a huge spike at the very left end of this chart:

"A campaign affected by click injection"

We’re currently researching and testing upgrades to our distribution modelling filters that should allow us to catch this type of trickery.

Who is affected?

Click injection is a relatively new and Android-only fraud scheme that any UA fraudster could access. As fraud prevention tools become more prevalent, many fraudsters who previously relied on click spamming will change tack, which we expect to happen this year.

If you’re running a lot of CPI campaigns on multiple different ad networks, especially in higher-CPI markets like the US, you have a higher risk of exposure. Here, fraudsters typically abuse a number of different ad networks.

How is Adjust preventing click injections?

We announced our click injections filter at the end of 2017, showcasing our new method of fighting fraud. The capability is only available as part of our fraud prevention suite. If you'd like to upgrade and begin to filter click injections from your campaigns, get in contact with our sales team.

Remember, we're the only attribution solution on the market to actively filter this (and many other kinds of) fraudulent activity - and if you're concerned about its effects, you should talk to us about how we can help you.

In the meantime, our mobile fraud guide has more on click injections and the other most common types of fraud in the industry.

Want more learnings from the market leaders in mobile fraud prevention?

Sign up below to get the latest in fraud prevention, and more, from Adjust.

Thanks!

You're now signed up. Keep your eyes out for all our new posts, straight to your inbox.