Click injection is the type of fraud where “fraudulent apps” primarily take credit for organic installs. In my experience, I have seen around 40% to 50% of total app fraud to be fake attribution/click injection fraud. This means we have been falsely giving credit of organic installs to paid campaigns.
HOW DOES CLICK INJECTION WORK?
Let’s say a fraudulent app developer released an app called X. The revenue stream for the developer is through in-app advertisements.
The developer will use something known as the “install broadcasts” to fake a just in time click as soon as a user downloads an app. And all the attribution platforms will attribute this install to the app X. Let’s see in depth how it works:
Step 1: User S has a fraudulent app (X) installed on the device; it is usually a free app with some ads like a flashlight, simple card games, etc.
Step 2: S downloads a new app (B) on his phone; each of the other apps already installed on his phone is alerted about this new install through, what is called as Android “install broadcasts”. X is also informed about this install of B.
Step 3: If marketing team of the newly installed app (B) has been promoting their app through display campaigns, there is a chance that app X also participated and has access to the tracking codes
Step 4: Fraudulent app X reports a click to the ad networks for the newly installed app B; means X tells the ad networks that user S clicked on the ad on X before installing the app B even though S installed this app organically.
Step 5: Networks relay this information to the attribution platform; when the app is launched the attribution platform starts verifying the advertising clicks.
Step 5: This click (reported by X) matches the device ID of S, and the install is attributed to X.
When advertiser reviews the performance of the campaign, it may appear that more installs are being generated by this campaign than organic activity. So the fraudulent publisher X gets paid for the install of app B
WHAT ARE “INSTALL BROADCASTS”?
All the Android apps, broadcast status change (downloaded, installed, uninstalled) to the device and other apps. This acts a messaging service between different apps on the device. The used cases can be antivirus apps listening on any new install and sending a communication to the user to test for any viruses; similarly other example being login functionality with a deep linking to password managers.
Any app can “listen-in” on these broadcasts with requisite permissions.
How to detect click injection?
There is no difference between clicks from fraudulent apps and genuine apps. Thus, all the clicks seem to be legit.
However, there is a visible pattern in the average time the user takes to install the app and the click of an ad. For attribution partner to count an install, the app must be opened so that SDK can run; in mobile marketing parlance, install means “first open” and download means just the download of the app on the device. Thus, there will be some time lag between the click of an ad and install, referred to as click-to-install time. This time lag will be different for every user and every app
In my experience, and reading online, the distribution curve for non-fraudulent “click-to-install” time is a normal distribution and should look something like this: (source- Adjust, app attribution platform)
Every app will have an average click to install time (depending upon the size of the app, category of the app) and there will be a deviation from the mean.
For the fraudulent curve, the aforementioned curve looks like this: (Source- Adjust, app attribution platform)
Click injection will provide a very short “click-to-install” time giving a skyscraper at the start of the graph.
But this graph does not mean that all the clicks with very small “click to install” time are fraudulent. Many times clicks will be communicated later than their actual time (batch processing in the server to server calls); this automatically leads to a shorter “click to install” time. There can be scenarios where a user launches the app after some time; this might increase the “click-to-install” time as the fraudulent app has “listened” the install broadcast a long time ago when the app was downloaded (app downloaded from the store and not yet launched).
In a nutshell, a mobile marketer needs to look at the average “click to install” time and understand the deviation from the mean. If the deviation is way-off for some partners, then there is something fishy about the installs.
PS- Have written this basis my own experience and some online reading on the topic. Will like to hear more about this from other people. What are their thoughts and experiences?