Why do you need fraud prevention?

Click spam

Click spam is a type of mobile ad fraud in which fraudsters generate unauthorized clicks to falsely claim credit for user installs.

Click spam begins when a user lands on a compromised mobile webpage or an app containing a misused SDK to trigger uninitiated clicks. From there, the fraudsters can employ several different methods.

Methods of click spam:

• A mobile web page executes mobile click fraud without the user’s intent or knowledge by running ads in the background.
• The spammer can click in the background while the user engages with the app, making it look like the user has interacted with an advertisement.
• The fraudster can generate clicks at any time if they use an app that is simply running in the background 24/7 (e.g., launchers, memory cleaners, battery savers, etc.).
• The fraudster could send impressions-as-clicks to make it look like a view has converted into an engagement.
• The spammer could blatantly send clicks to tracking vendors from made up or collected device IDs.

In the end, they all share the same goal: false engagements.

The impact of click spam

Click spamming is particularly harmful because it misattributes both organic and legitimate traffic from paid sources. When unchecked by a fraud prevention system, these false attributions are credited to fraudulent channels, allowing fraudsters to claim credit for installs. If not addressed early, click spam can corrupt an app’s entire attribution data, misleading advertisers and wasting valuable resources. Unfortunately, there are other serious consequences: 

• Miscalculating organic installs:  Click spam leads to the miscalculation of organic user data, skewing cohort analyses and causing the cannibalization of organic marketing efforts, such as branding and press outreach, by fraudulent activity.
• Misinformed UA strategies: False attributions from click spam cause advertisers to overinvest in channels that appear to perform well due to fraud. For example, if an advertising network falsely claims to have high-performing organic users, marketers might allocate more of their budget to that channel. This creates a cycle where advertisers repeatedly pay for users they would have acquired organically or through other channels.
• Neglecting more reliable channels: Fraud-free channels often appear less effective than those inflated by fraudulent conversions. This misrepresentation diverts budgets from reliable channels, causing advertisers to miss potential return on investment (ROI).

 

Click injection

Click injection is a sophisticated form of click spamming unique to Android devices. Fraudsters use an app to monitor when other apps are downloaded on a device and trigger engagements before an installation is completed (but before the app is opened). By timing their fraudulent clicks perfectly, they claim credit for installs, poaching both organic users and those acquired through legitimate advertising channels.

In short, click injection fraudsters use an app to inject an engagement at just the right time to get the cost per install (CPI) payouts or cost per acquisition (CPA) payouts. This creates systematic inaccuracies, leading advertisers to invest in underperforming and ineffective channels, diverting money from better-placed and better-designed campaigns.

SDK spoofing

SDK spoofing, also known as traffic spoofing or replay attacks, occurs when fraudsters utilize real device data to create legitimate installs or clicks.

Fraudsters exploit vulnerabilities in the SSL encryption communication between a tracking SDK and its backend servers. By intercepting and analyzing URL calls that correspond to app actions, they reverse-engineer the process to simulate ad clicks, installs, and other in-app engagements. Once successful, they can replicate these activities indefinitely.

Fake installs

This method of mobile ad fraud involves fraudsters creating fake app installs, conversion events, and other types of engagement. Enter device farms and fake installs. 

• Manual device farms: Previously common worldwide, these involve workers manually operating rows of smartphones to simulate installs and interactions. Although declining due to advancements in detection, they remain a concern in less-regulated markets.
• Intelligent device farms: There are also intelligent device farms pre-programmed with automatic actions that allow fraudsters to fake installs and other in-app user activity without requiring human input. These farms are harder to detect due to their efficiency and scale.
• Emulated devices: A program or device that allows a computer to behave as another device, most often a mobile device, is a device emulator. Fraudsters can use device emulators to steal marketers’ ad spend with falsified installs and in-app activities.

By using various device types with limited ad tracking enabled, frequently resetting advertising IDs to create unique profiles, and masking their actions with anonymized IP addresses, they make fake installs and engagements appear legitimate, making detection challenging. This is where mobile fraud prevention comes in.

Distribution modeling to combat click spam

Advertisers can catch click spamming by looking for a simple pattern. At Adjust, we identify click spam by analyzing click to install time (CTIT) distributions. Genuine traffic typically shows a natural pattern, where most installs occur within the first hour after an ad click, followed by a rapid decline. In contrast, click spamming exhibits a flat or random distribution because spammers generate clicks without genuine user engagement. This discrepancy allows advertisers to detect and filter out fraudulent traffic before attribution occurs.

Adjust employs distribution modeling to automate this process, a system that identifies and rejects click spam through two key methods. The first method, hyper-engagement filtering, focuses on spotting high-frequency clicks sent at recurring intervals. Fraudsters use these tactics to create a "last-click" attribution close to an organic install. Adjust flags these repetitive patterns and removes them, ensuring installs are attributed to legitimate sources or organic traffic.

The second method, distribution outlier analysis, examines CTIT patterns to detect inconsistencies. Research shows that over 85% of installs from legitimate traffic occur within the first hour after a click. Fraudulent traffic, however, lacks this correlation and spreads conversions across the attribution window. Adjust rejects these outliers, attributing installs to the appropriate source or marking them as organic.

Click injection filter to tackle click injection

Adjust combats click injection fraud with click injection filtering, leveraging timestamps to maintain accurate attribution data. For installs from the Google Play Store and Huawei AppGallery, Adjust uses referrer APIs to compare engagement times with two critical timestamps:

• Install_begin_time: Engagements occurring after this timestamp are flagged as fraudulent.
• Install_finish_time: A second check ensures no fraudulent clicks are recorded after installation.

For installs outside these app stores, where referrer APIs are unavailable, Adjust relies on the install_finish_time timestamp to identify and reject fraudulent engagements. This ensures all illegitimate attributions are effectively filtered, regardless of the app store source.

Rejected attributions are transparently reported. Fraudulent installs appear as rejected installs; click injection (RI CI), and reattributions as rejected reattributions: click injection (RR CI). These rejected actions are either reassigned to legitimate sources or categorized as organic if no valid engagement exists.

By combining deterministic timestamps, referrer APIs, and clear reporting, Adjust ensures accurate attribution data while protecting ad budgets from fraudulent activity.

SDK Signature to fight SDK spoofing

Adjust combats SDK spoofing with our SDK Signature, the most secure SDK on the market. Featuring custom encryption keys, unique cryptographic libraries, and bi-annual updates, it ensures unmatched protection against spoofing attempts by verifying all requests and rejecting unsigned or invalidly signed data.

Adjust also provides real-time fraud rejection callbacks and detailed reports, categorizing flagged traffic under untrusted devices or suspicious installs. After a transition period of two attribution windows (e.g., 14 days for a 7-day window), advertisers can enable signature validation to ensure complete protection without disrupting attribution accuracy.

The anonymous IP filter to reject fake installs

Analyzing IP addresses can identify fake installs from device farms and emulators. Fraudsters often route this traffic through proxies, VPNs, or data centers to obscure its origin. Adjust’s anonymous IP filtering cross-checks all installs and reattributions against MaxMind’s anonymous IP database. Installs linked to anonymizing services, such as VPNs, Tor exit nodes, or data centers, are flagged as untrusted devices, isolating fraudulent activity from legitimate data.

This filtering prevents most fraudulent installs from entering your data set, preserving data integrity. Rejected installs and reattributions are transparently reported with metrics such as:

• Rejected installs: anonymous IP (RI AIP)
• Rejected reattributions: anonymous IP (RR AIP)

This system ensures advertisers use clean, actionable attribution data for effective decision-making.