Summits Yellow

Adjust Issues Click Injection Fraud Warning

David Murphy

Adjust GC guy andreas-naumann

“We’re expecting [click injection fraud] to roughly supplant and equal click-spamming activities in size, which accounted for an estimated five per cent of ad engagements on Android” – Andreas Naumann

Mobile Attribution and analytics company Adjust has issued a warning about click injection fraud, which it believes is set to become one of the dominant forms of mobile marketing fraud in 2017.

Click injection fraud enables fraudulent app publishers to earn money by injecting fake clicks from a user’s Android device as the user installs an app. The clicks are generated from within a low-effort, fraudulent app – typically a game or utility such as a torch app – which uses something called “install broadcasts” to detect when other apps are downloaded on a device and inform every other installed app, including the fraudulent one, about the download, in order to trigger clicks from within the fraudulent app just before the install completes.

If the downloaded app has been promoted through display advertising, there’s a good chance that the fraudulent app was involved in the campaign and so has access to the tracking codes, which it uses to report a click from the user to ad networks and tracking services. When the downloaded app is opened for the first time, the analytics services are informed and the fraudulent publisher is credited for the false click, earning a payout, typically between $1 and $5 per click.

So if a user has clicked on a genuine ad or other link to download an app, the ad network is fooled into believing that the conversion came from an ad within the fraudulent app and the publisher of the fraudulent app earns the money from the click, effectively poaching organic conversions and conversions from legitimate publishers. Currently, Adjust says, click injection is effective on Android only, as it uses Android's install broadcasts feature to perpetrate the fraud.

Adjust fraud specialist Andreas Naumann said the new scheme is technically similar to ‘click-spamming’, but evades the tools that prevent click spam. “We’re expecting it to roughly supplant and equal click-spamming activities in size, which accounted for an estimated five per cent of ad engagements on Android,” said Naumann.

The key to the fraudster’s success, said Adjust, is their anonymity, which is aided by the long tail of app developers signed up as publishers within self-service ad networks.

Speaking to Mobile Marketing, Adjust head of communications Simon Kendall said: “Most fraudulent publishers sign up to an ad network as a self-service publisher under multiple different identities and with many different profiles. They may put legitimate ads in their apps alongside the fraudulent ones and they can go on for months or even years without being noticed. When they are flagged as being fraudulent, the ad network will likely block them, but then they’ll just move on to the next ad network.”

As for the payments made to these fraudulent publishers, according to Kendall, it’s just not worth ad networks’ time trying to get the money back. “For an individual ad network, we are talking about relatively small amounts of money, and these fraudulent publishers tend to be in places like Southeast Asia or Russia that are difficult for the ad networks to get to, so all they can really do is ban them when they are identified as fraudulent,” he said.

Adjust is currently testing different algorithms to prevent the fraudulently-claimed conversions as part of its Fraud Prevention Suite of software tools protecting advertisers, with a release due later in the quarter.