Blog How to protect your app from malicious b...

How to protect your app from malicious bot fraud with Unbotify

A significant portion of internet traffic is made up of machines, with only 62 percent of all traffic attributed to humans. In addition to ‘good’ bots that are designed to help complete online tasks, bots can also be used to commit fraud. Unbotify’s research estimates that some of today’s most prominent mobile apps lose around 10% of revenue to bot fraud, though that figure will grow alongside the global App Economy.

From stealing an app developer’s revenue to tarnishing an app’s user experience, this is a widespread issue that poses a threat to all verticals - and it’s critical developers are aware of how bots can negatively impact their business. This guide is designed to help you learn how bots operate, why they can inflict damage upon your app and the preventative steps that can be taken with the help of tools like Unbotify.

What are bots?

Bots are internet robots that can be designed and implemented for functions such as autonomously completing repetitive tasks, scraping metadata, indexing and data analysis. Their ability to outperform humans in these tasks makes them a valuable asset when optimizing a business’s operations. Unfortunately, this technology is also being manipulated by fraudsters on a global scale, allowing them to scale their attacks and increase the magnitude of their crimes. Luckily, there are tools like Unbotify, designed to detect bot behavior and helps app owners put a stop to in-app bot fraud.

How do bots work? Technical ad fraud vs. in-app bot fraud

To avoid confusion when learning about bots, it is essential to know the distinction between technical ad fraud and in-app bot fraud. Technical ad fraud – such as Click Spam, Click Injection, install farms and SDK spoofing – is the exploitation of advertising technology for profit. Fraudsters have many methods of committing technical ad fraud, but the goal is always to abuse marketing models for financial gain.

Marketers can protect their ad spend from these types of mobile ad fraud with Adjust’s Fraud Prevention Suite. You can learn everything you need to know about technical ad fraud by reading The Adjust Guide to Mobile Fraud. The remainder of this article covers in-app bot fraud, which occurs inside an app and does not aim to steal a marketer’s ad spend.

What is in-app bot fraud?

In-app bots are designed to imitate human behavior, completing specific tasks that are beneficial to a fraudster’s goals. The ability to complete tasks at a humanly impossible rate makes them an extremely effective tool if an app is unprotected against the fraudster’s methods.

Apps that are attacked by in-app bot fraudsters can suffer in several ways: decreased retention rates, spammed users, hacked accounts, credit card fraud and more. In most – if not all – situations, in-app bot fraud is detrimental to the user experience and the damage is greater than solely the loss of revenue.

How bot fraudsters implement attacks

Fraudsters are continuously looking for ways to use bots for their own gain. While bot fraud is more common for verticals such as e-commerce and gaming, apps of all verticals are at risk in some capacity. Here are the most common ways in which in-app bot fraud is used depending on app vertical.

Finance apps

The nature of fintech apps means they are an immediate target for fraudsters, making them one of the most affected verticals. According to Threatmetrix, “financial services see a growth of 35 percent in mobile attacks year-on-year, with the biggest growth in risk coming from mobile account takeovers, which has seen a growth of 53 percent year-on-year.

Finance apps are at risk of bot attacks in several ways. For example, bots can be used to access an account and steal their money or sell personal information to other fraudsters. It is essential for fintech apps to protect themselves from such attacks due to the type of information they attain.

E-commerce and travel

There are many ways bots can abuse retail apps and these methods also apply to travel apps. Here are the main ways in which fraudsters can use bots to attack these verticals:

Swooping up items and promotional deals: Bots can claim an entire stock of limited edition items at humanly impossible speed – giving genuine customers no chance to benefit without paying a higher price from a third party. Founder and CEO of Need Supply Co. Chris Bossola explained this is particularly damaging because “if one person buys 40% of the product just to resell it, it’s not a good customer experience for anyone.” He also stated that “those people are not reliable customers who provide long-term value,” making the experience even more damaging. In some cases, bots may even be used to add items to carts, making them impossible to purchase and consequently benefitting a competitor’s store.

In addition to this, some users may try to counteract this by implementing bots themselves, as this has become their only way to purchase without using a third party. There was evidence for this behavior last year, when the top paid-for app on the App Store on March 29 was the “Supbot”'— a bot designed to help users purchase new Supreme products before other customers.

Skewing analytics: Spikes in traffic can be caused by bots, skewing analytics and leading marketers to potentially make negative changes to their overall strategy. This can drain resources and prevent you from making impactful changes based on uncompromised data. Develops who implement additional security measures to prevent this are adding extra steps to their customer journey, which may also affect conversion rates and ROI.

Log-in attacks: Bots can try to gain access to user accounts during your app’s log-in procedure. Lists of stolen information can be used to access accounts and saved credit card details can be used to buy products. This is a distressing situation for your users that also harms your app’s reputation.

Fake listings and updates: Bots can spam e-commerce apps with fake listings and fake product reviews. The UK government’s Competition and Markets Authority estimated that fake reviews may influence £23bn of UK customer spending per year. This fake activity can benefit sellers by gaining a high rating or damage their competitors with low ratings. For example, Amazon was flooded with automated fake reviews last year for products by unfamiliar brands. This can mislead users, cause them to buy inferior products and means your customers may lose trust in your ratings system.


Last year, online poker site Partypoker purged 277 bot accounts, resulting in a payout of $734,852.15 that was distributed between the victims of abusive bots. Bots are a huge issue for the mobile gaming industry, with a recent Adjust survey showing that 40 percent of mobile gamers claim to have used bots to help them win. When asked whether bots were affecting their in-game experience, 63 percent said the impact was very or somewhat negative. Here are the most common ways bots are implemented in mobile games.

Game cheats: There are many ways a player might be incentivized to use a bot. If you have a daily rewards program, users can use bots to earn these rewards without having to log-in each day. This will also compromise your data. Another incentive is that bots can farm in-game items. This is a significant issue because once a player can pay to become unbeatable via the use of bots, the spirit of your game has been compromised. This is demotivating for players who expect a fair fight, causing them to churn.

Manipulating in-game economies: Bots can ruin a mobile game by affecting your game’s economy. If players are paying for bots to play for them, they are investing their money in your game without generating revenue for your app. Mobile games with protection from bots are therefore more likely to generate revenue from users looking for ways to progress. For example, a player may spend that money on in-game purchases instead.

Social media

Social media apps are faced with the challenge of detecting bot activity such as fake likes and followers. For example, Facebook filed a lawsuit in 2019 against Social Media Series Limited, a New Zealand-based company, for selling automated Instagram engagements. A statement by Jessica Romero, Facebook’s Director of Platform Enforcement and Litigation, stated that Facebook is “sending a message that this kind of fraudulent activity is not tolerated on our services, and we will act to protect the integrity of our platform.”

If a social media app has a marketplace for users, they may also be susceptible to some of the same bot attacks as e-commerce apps.

How Unbotify can help

With so many ways bots can steal from app developers and tarnish the user experience, it’s important to find a preventative solution that can accurately distinguish between harmful bots and genuine users. Fortunately, Unbotify offers a solution for app developers looking to protect their app from malicious bot fraud.

Unbotify was founded in 2015 with a mission to disrupt the stagnant bot detection market. Since then, the company has stopped sophisticated bot fraud and helped restore online trust and transparency. This has been possible by circumventing behavioral biometrics safeguards that put unfeasible computational and time burdens on bot fraudsters.

How Unbotify works

Unbotify is a bespoke solution that protects your app from bot attacks. By learning from human behavioral patterns that cannot be perfectly emulated, Unbotify’s machine learning is used to accurately identify bots in real-time. For example, genuine users will often tap their mobile devices in irregular patterns that are difficult for bots to reproduce.

A variety of in-app actions and locations throughout the day are also signs of a real user. Unbotify uses machine learning to compare these factors – such as a device’s accelerometer, light sensor, touch events and battery status – and distinguish in-app bots from real users.

Unbotify’s bespoke solutions are fully compliant with all data privacy regulations while protecting an app’s reputation in real-time. The behavioral patterns used to determine a user’s legitimacy is individually tailored to your app, learning the natural in-app user-flow. This enables app developers to protect their business and regain control of the user experience.

To learn more about how in-app bot fraud is affecting the industry, listen to the Mobile Presence podcast episode featuring Paul H. Müller, CTO at Adjust. Paul talks with Peggy Anne Salz, Lead Analyst and Founder of MobileGroove, about how to distinguish bots from genuine users and the top verticals at risk. You may also be interested in our Employee Story with Ran Arieli, Data Scientist at Unbotify.

Want to get the latest from Adjust?