Mobile ad fraud basics

Mobile ad fraud implications trickle down to each and every aspect of an advertiser’s marketing initiatives, affecting current activities and future activity alike.

Lost budgets (direct & indirect) 

The most obvious implication is the direct financial loss fraud creates. According to AppsFlyer’s latest mobile ad fraud data study, 15% of global mobile media spend is wasted on fraud.

These lost budgets could have produced value for advertisers had they been wisely invested in other profitable channels. This is considered as the alternative cost and could potentially pose a greater risk for advertisers due its long term effects and scale.

Polluted data

Fraud can lead advertisers into investing and reinvesting in “bad” media channels due to the pollution of data being analyzed. 

Once fraud infiltrates the data mix, it becomes almost impossible to tell apart real users from fake ones and organic users from acquired ones.

Bottom line? Advertiser’s data becomes polluted and unreliable.

Drained resources

Above anything else, fraud is an enormous waste of time and human resources. Entire teams spend countless hours working on reconciliation and clarifying where anomalies are found within their data.

Fraud implications

Ecosystem impact

While advertising budgets are stolen, advertisers are far from being the only ones impacted. Fraud damages are felt across all entities and players within the marketing ecosystem.

Marketing tech vendors

Mar-tec vendors rely on healthy advertising budgets to prosper, develop, and offer additional services.

As fraud engrosses more marketing budgets, advertising ventures become less profitable for many advertisers. Mar-tec companies who rely heavily on these budgets are hit by a lower scale of marketing initiatives. 

This serves as a double negative, as mar-tec solutions often help advertisers better measure their activity, optimize campaigns, and even help protect them from fraud.

Media partners (Ad networks)

Fraudsters exploit the ecosystem’s complexity and the many mediating entities within it to remain undetected, with many ad networks unaware of fraud polluting their traffic.

A lack of fraud treatment could mean losing an ad network’s reputation and risking its future business with leading advertisers, as advertising budgets shift towards SRNs – limiting their media portfolio in exchange for cleaner traffic. 

Moreover, legitimate networks often lose credit for quality users they provided due to attribution hijacking tactics, stealing their credit using fake clicks.


High profile app and website owners rely heavily on revenue generated by traffic monetization.

Domain spoofing fraud aims to directly steal revenue from these sources by pretending to sell their traffic – inserting their domain name artificially to attribution URLs. These actions hide fake or low quality traffic bought cheap and resold through ad exchange platforms for higher rates.

Mobile ad fraud indicators

Much like other crimes, mobile ad fraud also has its clues and indicators to help identify it and flush out its operators. 

The data collected by attribution providers can be analyzed to identify anomalies in user behavior, device sensors and more. These can help paint a picture of what legitimate activity patterns look like, and in turn highlight abnormal behavior.

As data analysis plays a big part in identification – reliance on a larger database makes fraud identification efforts more accurate, identifying more fraudulent patterns faster and more efficiently.

CTIT fraud identification


Click to Install Time measures gamma distribution between timestamps in the user journey -  the user’s initial ad interaction, and their first app launch.  CTIT can be used to identify different cases of click based fraud:

  • Short CTIT (under 10 seconds): possible install hijacking fraud 
  • Long CTIT (24 hours and after): possible click flooding fraud


Device ID reset

New device rate

New Device Rate will highlight the percentage of new devices downloading the advertiser’s app. New devices are of course normal, as new users install apps or existing users change devices. However, one must keep an eye on the acceptable NDR for its activity, as this rate is determined by new Device IDs measured. As a result it can be manipulated by Device ID reset fraud tactics, very common with Device Farms.

mobile device sensors

Device sensors

Biometric behavior analysis relies on hundreds of device sensor indicators from the device battery level to its angle and more. These indicators help create a profile for each install - analyzing the device and user behavior per each install and their compatibility to normal trends measured with real users.

Limit ad tracking

Limit ad tracking

Limit Ad Tracking is a privacy feature that allows users to limit what data advertisers receive about the activity generated by their devices. When a user enables LAT, advertisers and their measurement solutions receive a blank device ID in place of a device-specific ID.

Fraudsters attempt to hide their schemes by enabling LAT on their devices. This KPI is relevant only for Google and iOS advertising identifiers. Amazon, Xiaomi, and more use other identifiers.

Conversion rate

Conversion rates

A conversion rate describes the translation of one action to another, this could mean ad impressions into clicks, clicks into installs, or installs to active users. An advertiser’s knowledge of its expected conversion rates at any point in the user journey can help prevent fraud infiltration.

A rule of thumb in terms of conversion rates is to suspect that anything that is too good to be true, likely isn’t true.

Machine learning algorithm

Artificial intelligence

Artificial intelligence has become a common fraud indicator, as it allows to apply fraud identification logic at scale. AI helps indicate instances untraceable by humans at any scale. 

Machine learning algorithm (i.e. Bayesian networks) combined with a large mobile attribution database will ensure an efficient and accurate fraud detection solution.

A fraudster profile

When examining the current profile of common fraud operators we notice a misconception of market perceptions.

Many marketers perceive fraud as a malicious operation carried out from secret locations. The fraudster is often thought of as a hacker wearing a hoodie or a mask.

Fraudster profile

In reality, fraudsters are anything but secretive, with some of them even displaying their activity out in the open. However they often don’t consider their activity to be fraudulent, but rather regard it as a service.

The average fraud operation can appear like a mainstream tech company, and even seem legitimate. The use of various bots, emulators, and other malicious tools are referred to as “products” or “software releases” rather than fraud.

These companies operate from trendy offices, offer pension programs, and benefits. They employ bright minds, experienced engineers, and operate sophisticated BI teams as they choose their targets wisely and develop their “products” to bypass their target’s defenses.

They are calculated, goal oriented, and operate ROI driven, large scale operations.

In order to effectively take on the ad fraud challenge we must first acknowledge that the people operating it are just as sophisticated and forward thinking (if not more) than the ones looking to block their attempts.

Another common misconception is that fraud is usually driven by ad networks and malicious media sources. While this can sometimes be the case, fraud can still be driven from various directions, using the industry’s structure to encourage its growth.

Advertiser fraud

The online industry’s roles are dynamic, anyone involved can act as advertiser, publisher or mediator at any given point. Malicious apps carrying malware or adware need to reach large audiences in order to operate their schemes at scale - they too rely on marketing campaigns. These apps can appear harmless at first, but initiate or support malicious activities once downloaded to user devices. It's important to examine each app carefully, noting the backend credentials and permissions and how they are used.

Mediator fraud

A mediator can be any entity placed between the advertiser and its publisher. There are numerous ways in which mediators can manipulate transactions for their benefit. One of these manipulations is domain spoofing, where a publisher's domain or app is altered by the mediator to appear more attractive and require higher CPIs.  Another, is ad stacking, where a single ad placement can host several ads simultaneously, showing visibility to only one ad.

Publisher fraud

Publishers themselves can often initiate fraud using numerous tactics that help boost the value of specific media assets. A publisher can operate bots to constantly remain active on their app and generate impressions for ads presented to them. These bots can even initiate clicks and in-app engagements with the apps. Display fraud tactics are also very popular with some publishers, as they attempt to squeeze more out of their own media offering, using invalid ad placements and misrepresentation of media quality.

User fraud

In a market where the absolute majority of apps are offered for free, in-app economies rely heavily on the app’s ability to convert free users to service acquiring users at very specific rates. User fraud occurs when users try to trick an app’s economic structure in order to gain better positioning or use its services for free. From resource draining bots in gaming apps to unlocking swiping limitations in dating apps, these actions bypass the app developer’s intended user experience. In doing so, users harm the app's means of generating revenue.

Common fraudster tools

Fraudsters are inventive and creative, constantly improving tools in their disposal to further develop their activities.
Common legitimate tools used by developers, advertisers and users will often be manipulated and used to exploit specific functions that create opportunities for fraudsters.

Device emulators

Emulators are a common tool for legitimate game developers as they create a virtual device environment to test different app features.  Fraudsters, however, use these emulators to mimic mobile devices at scale and create fake interactions with ads and apps.

Emulators are easy to download, enable seamless recreation of fresh devices and users, and can be operated at large scales using bots and scripts.

VPN proxy tools mobiel ad fraud

VPN proxy tools

A VPN works by routing the device internet connection through a chosen VPN's private server rather than the internet service provider (ISP). When data is transmitted to the internet, it comes from the VPN rather than the device.

Fraudsters abuse this tool to mask their operations and hide their IP addresses to avoid being blacklisted. This tricks advertisers into thinking that their engagement originated from desired locations.

Malware mobile ad fraud


Malware is a malicious software intentionally designed to cause damage to a device, server, client, or computer network. Fraudsters design and develop different types of malware. These developments help manipulate security breaches and loopholes by infiltrating devices and servers, falsify data, and exploit advertisers and users alike.

Fraud evolution

Fraud has always been a part of the online advertising industry. As long as there was money to be made, even for basic CPC campaigns, fraud was an integral part of the advertising equation. 

Mediated ad networks started appearing around the early 1990’s to help connect between advertisers and websites. 

The 90’s dot-com boom increased publisher variety and scale significantly, which opened a door to various ad networks. Additionally, the first directories such as Yahoo! directory and keyword search engines like Alta Vista emerged in order to help users reach destination sites and navigate between a plethora of websites easily.

Early ad fraud methods in the late 90’s and early 2000’s were mostly focused around variations of desktop based click spamming and search engine manipulations. 

Online industry evolution

Online industry evolution

In 2008 the Apple App Store was announced, introducing a new era where internet access is available through mobile devices. 

The introduction of app environments and mobile web played a significant role in the surge of online advertising during the 2010’s gradually taking up a bigger piece of the advertising pie.

Up until 2010, desktop activity was still the main focus point for advertisers and fraudsters alike. As mobile budgets grew, fraudsters gradually started shifting their focus towards mobile – initially applying common desktop fraud methodologies into mobile activity to test the new environment’s potential.

Mobile vs. web advertising trend

Mobile vs. web advertising trend (Source – PWC IAB report)

App install fraud became more popular over time as fraudsters exploited the industry’s interest in expanding towards the mobile front. App store rankings became the new focus point for advertisers – who opted for “burst” campaigns to gain large install quantities at very short time frames. This offered an open door for fraudsters to exploit incentivized and low quality channels, spamming advertisers with fake users.   

As app store ranking algorithms evolved, “burst” tactics became almost obsolete. App developer’s understanding of the new mobile landscape matured as well, putting their focus on quality, active users rather than inflating install numbers.

As the industry evolved, greater mediation points in the form of ad exchanges, SSPs, DSPs, media agencies, and others were added to the journey between advertisers and publishers – each with their own view on transparency, traffic quality and delivery standards.

Industry complexities currently allow fraud to flourish. Fraudsters exploit transparency loopholes, reporting standard inconsistencies and even technological development attempts to conduct their schemes at different scales across various platforms.


Online advertising ecosystem - fraud

Fraud can exist anywhere in a complex ecosystem

Online publisher or media source accounts are easy to create and disguise across a plethora of mediation platforms available using shell companies and other masking techniques.

These help hide the fraudster’s operation as it mixes with other sources in an ocean of data and is often only identified by a generic ID which separates the malicious activity from a company name.

Once hidden or masked CPM, CPA, CPS and other advertising models are easy to manipulate by generating fake impressions, clicks, sales, and even users. Even when caught or blocked, a fraud operation can easily repackage itself under a new ID or business entity and resume its fraudulent activities.

Chapter List