Mobile Fraud Trends at Mapendo in 2019

In 2019, mobile fraud is everywhere; this malware is becoming more sophisticated and difficult to detect. Consequently, the marketer’s and the publisher’s job becomes increasingly difficult. Additionally, while there is more fraud with the Android operating system (26.9%), Apple’s iOS seems to be closing the gap at 21.3%. “Among the most vulnerable app categories for ad fraud on iOS are shopping (32.9%), gaming (30.3%), finance (28.8%) and travel (21.1%). On Android, finance dominates (35.2%) as the most vulnerable app category, followed by shopping (32.8%), gaming (32.4%) and social (31.5%).”

In this article, we will go over the most common types of fraud according to our Account Managers at Mapendo: click spamming, click injection, mobile fraud bots, and spoofing.

Image for post
Image for post


Click spamming is also known as organic poaching, click flooding, click fraud or fake clicks. Click-spam is when a fraudster performs clicks for users and who are not aware of this occurrence. This act of fraud starts when a user lands on a mobile web page or in an app that a fraudster is running. From this point, multiple kinds of fraud can arise:

1. The mobile web page can generate clicks in the background with no visible ads, or any ads that can be interacted with.

2. The fraudster could be executing clicks in the background while the user is using the app, making it seem like the user interacted with the advertisement.

3. The spammer can develop many clicks at any time if the user is running an app the background (battery savers, etc)

4. A fraudster can make believe that a user transformed an impression into a click.

5. The spammer can send clicks from “fake” device ID’s.

Advertisers can determine click spamming by analyzing simple patterns. There is no universal threshold to detect fraudulent activity; every country and vertical has its own and unique behavior. However, there is a clear difference between genuine clicks and click spammers over a certain distribution of time. For real-traffic (without fraud), clicks should follow a normal distribution. The exact shape and size of the distribution vary between publishers, but a credible source should provide a fairly good amount of installs on the 1st hour from the click before tapering down. A minimum of 80% of installs should arrive in the first 24 hours.

Obviously, click spamming sources all have different behaviors but installs from fraudulent sources are distributed in a constant/flat manner. Fraudsters can reproduce clicks yet they cannot generate installs. This results in having installs and click to install times (CTIT) follow a random distribution pattern.

Image for post
Image for post

Interested in knowing more about us and our A.I. tech? You can learn about how it can help grow your App here!


Fact: “In 2018, Adjust rejected over 250 million fraudulent installs in 2018, of which 46% were paid traffic sources. Schemes that spoof ad engagements for real users were the most prevalent, with methods like click spam (25.5%) and click injections (47.6%) dominating SDK spoofing (17.3%) and fake installs (9.4%).”

Image for post
Image for post

Click injection uses malicious apps to infiltrate a user’s Android device. These apps listen to an app broadcast; which is the Android Operating System broadcasting to other apps that a new app is being downloaded. While the new app is being installed, the malicious apps will reproduce clicks to campaigns from the device that is installing the new app. This gives the fraudster credit for the organic installation. Marketing campaign analytics attributes the cost of the “stolen” install to spammers who receives the payment. This is a form of sophisticated click spamming.

The distribution for normal app installs and click injection installs are quite different. Just like click spamming, a closer look at the data patterns can help one detect the fraud. The CTIT variable to determine if there is click injection fraud should be the number one indicator that fraud is present in the ad campaign. For fraudulent cases, there is a sudden peak in the number of installs during the time range less than the average CTIT. Most of these installs are downloaded in less than 30 seconds.

Image for post
Image for post
Time between click and installs are in seconds

Mobile Fraud Bots

Fact: “In 2018 classic Bots were responsible for 14% of all fraud cases.

Bots are highly sophisticated and disguise themselves easily into humans. This malicious software has only one goal in mind: it tries to imitate real traffic and generate fake events (clicks, installs, post-install events). The advertisers are then spending their budget for ads that serve bots instead of humans. When the data is being processed into the analytical system, the fraudsters are the ones being paid. In consequence, this also gives the advertiser a reputation of being affiliated with fraudulent activities.

Image for post
Image for post

Bots can be analyzed and detected throughout abnormal post-install activities, or by recognizing an obvious fake app starts which then leads to a high concentration of retention rates. As time has evolved, bots have become more and more sophisticated making it more difficult for advertisers to identify. These “smart bots” have been able to do more than just create fake app starts, they’re capable of spoofing of post-installs and purchases. Their activities simulate perfectly the ones of a human.


“SDK spoofing is the creation of legitimate-looking installs with data of real devices without the presence of any actual installs.

Fact: “It’s quickly surpassed other popular fraud schemes like click injection, click spam, etc., and now accounts for 37% of all rejections, meaning that during an analytics quality review, the attribution will be rejected.”

Spoofing uses a method called “Man in the Middle Attack”. Spammers break into the secure sockets layer (SSL) encryption, the link between the tracking SDK and the baked servers. From there, the fraudsters create multiple “test-installs” for the app they want to “corrupt” and they discover which URLs are used for certain actions. From the URL, they try to resolve which part static or dynamic. Then, they test their setup on the dynamic portions. To end, once an install is successful and tracked, the spammers have ultimately figured out the exact URL resulting in them using this link to create fake installs. This process is repeated indefinitely.

Unlike click spamming and click injection, spoofing does not quite have a specific distribution. In this case, it’s very easy to mix this type of fraud to other types of fraud such as incentive, click spamming, click injection, bots and so on. The best way to spot spoofing is to directly get a confirmation of fraud from either the client, the app developer, an attribution platform or the data from the app. For example, spoofing will create fake “hotel bookings”. All of this completely out of thin air. However, the direct client can confirm if a person actually did a hotel booking.

Mapendo’s anti-fraud approach does not replicate what attribution technology already does. We are definitely able to detect any kind of fraud, the same way tools such as Appsflyer’s Protect360 (or other similar tools) do. But at Mapendo, we focus on delivering clean app installs and then, optimizing towards the client’s KPI. How can we be sure about delivering clean app installs? We mainly focus on 3 factors:

  1. The attribution tool: by using short attribution windows were able to detect and avoid click spamming issues.
  2. Anti-bot tool: by analyzing technologically the traffic and the sources we can stop bot traffic, delivering only true human activity.
  3. The activation funnel: since we get paid most of the time on CPA actions that are down the funnel, by optimizing towards these actions we guarantee the advertiser investment is safe. Obviously, we check every click, every action, every IP address against strong anti-fraud criteria.

By performing some comparative benchmarks between our internal technologies and two of the most common solutions on the market, we’ve found that our anti-fraud technology does a better job both in terms of volumes and quality.

What’s the problem with other solutions? Firstly, the applied criteria are not clear and well stated (well…in part this is due to obvious reasons), but in the end the results yielded are excluding most of the conversions, not remunerating the traffic. This halts the campaign as if the traffic is not paid for (the right amount of money) it will stop sooner or later.

We believe our solution does a better job, protecting the advertiser, making him pay a fair price and letting the volumes grow.

Written by

We are Mapendo. Curious and innovative. Mobile App Marketing is what we do and w. Artificial Intelligence is how we do it. || Bologna, IT ||

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store