This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Mobile Ad Fraud in 2018 - Tackling the Newest Threats

Updated Jun 11, 2018, 07:49am EDT
This article is more than 6 years old.

Mobile ad spending is growing another 20% this year to over $75 billion. With such a huge market, it’s no wonder that mobile ad fraud continues to increase as well. Losses from mobile fraud are estimated in the billions, but these numbers are based solely on rejection rates by advertisers using fraud prevention tools. The amount of preventable fraud is likely even higher.

While some initiatives to combat basic web domain spoofing, like ads.txt, are proving successful, it’s become clear that ad fraud is like an arms race. When industry players find a solution to neutralize one form of fraud, fraudsters come up with new and increasingly sophisticated ploys. As a result, fighting fraud is an ongoing battle that is fought in waves.


This was a primary insight in a recent Q1 2018 report on mobile ad fraud by AppsFlyer, the Israeli mobile analytics and attribution firm. A similar report was released in April by Berlin-based mobile measurement firm Adjust. Taken together, they provide a deeper look at the state of mobile ad fraud in 2018.


AppsFlyer estimates financial exposure to app install fraud in Q1 of 2018 was as much as $800 million, a 30% increase over last year.  Fraudulent installs make up 11.5% of all paid installs. In addition, the problem is widespread among all types of marketers. Out of a sample of 2500 apps, 22% had over 10% fraud, and 12% -- hundreds of apps – had over 30% fraudulent installs!

The hardest hit apps were, as you might expect, the juiciest targets: ones with high CPI/payout, massive scale, or both. E-commerce was the top app vertical with over $275 million in losses, with gaming, finance, travel and food and drink rounding out the top five.

Because of the sheer scale of its platform, Android has three times the fraud as iOS.  Android’s fraud rate, however, is only 33% higher than that of Apple’s platform. Apple’s walled garden approach makes it less vulnerable to device-based attacks; fraudsters revert to click flood as a tactic as it doesn’t require penetrating an actual device. The result is a click flood rate on iOS that was five times higher than that of Android.

In its Q1 2018 report, Adjust concluded that ad fraud rates have doubled compared to a year earlier.  Like AppsFlyer, Adjust found that e-commerce was the most attacked vertical with 40% of the paid installs rejected, followed by games and travel.

Types and Trends

The dominant ad fraud strategies have shifted rapidly over the last year: when advertisers shut down one attack vector, the fraudsters pivot to another.  AppsFlyer noted that over 50% of all mobile install fraud last summer was DeviceID reset fraud, perpetrated by large device farms. In this scam, thousands of real phones download apps and generate paid install fees. They then reset the phones’ identification numbers to appear as new devices and are able to do it over and over again. Since then, the industry has learned how to recognize this fraud and newer strategies have proliferated.

App Install Farud Distribution by Type


Such tactics include Click Flooding, also known as Click Spamming, Click Injection aka Install Hijacking, and bot-driven attacks like SDK Spoofing.

Click Flooding or Click Spam is a way fraudsters poach organic users. When an unpaid user installs an app, a series of fraudulent clicks take place, falsely attributing the action to a paid ad. This form of fraud is especially insidious because it not only makes the advertiser pay for a user they didn’t need to pay for, but it also understates the amount of organic traffic they are getting, The combination of false signals is toxic to marketing strategy. As organic users tend to be higher quality, the marketer may spend more money on a paid channel falsely thinking it is producing high-quality users.  And at the same time, they underspend on the non-paid activities that produce organic users.

A more sophisticated version of organic poaching is Click Injection. This tactic exploits an Android feature known as “install broadcasts” where all existing apps on a phone are notified when a new app is being installed.  Scammers create simple free apps that users download. The fraudulent app is informed when a new app install is taking place, and it sends a series of clicks to attribution networks before the install is complete. The fraudster gets credit for what is most likely an organic install – and gets paid for it.

Finally, the newest forms of mobile ad fraud are bot-driven strategies like SDK Spoofing.  In SDK Spoofing, a bot that hides on an app generates a series of simulated ad click, install, and engagement signals to an attribution provider without any real installs occurring. It is particularly hard to detect because it occurs on real phones using legitimate apps as Trojan horses. Any real app that integrates with the wrong SDK is vulnerable to this kind of attack. Adjust found that in measuring 3.43 billion installs in the first quarter of 2018, 37% of all rejected installs were from SDK Spoofing.

Best Practices

As we can see, mobile ad fraud is becoming increasingly sophisticated and difficult to detect. Billions of dollars are at stake, and the price for marketers, publishers and networks alike is constant vigilance. Fraud detection software like the kind provided by AppsFlyer and Adjust can help. These firms have access to the kind of massive datasets that empower machine learning to recognize anomalies. But even the smallest advertiser can pay more attention to the patterns in its own data. Keeping SDKs updated is good policy. Staying up to date and informed on fraud trends is necessary.  While marketers bear most of the financial costs, everyone in the industry suffers from fraud. User acquisition managers should work closely with their ad networks and data teams to find solutions. More open data sharing and transparency among attribution and tracking firms could help as well. We’re all in this fight together!