Detecting Fraud Based on Click To Install Time

Accurate performance data is crucial to the success of mobile app marketing campaigns.

Undetected fraud and reactive fraud management leave fraudulent clicks and installs in your data, muddying reporting used in decision making, leading to:

• Diverted ad spend from legitimate traffic sources to sources inflated by fraud
  ‍
• Overall poor performance as data used for optimisation is not accurate or reliable
  ‍
• Time-consuming install volume reconciliations at billing time and associated costs of chargebacks

Click To Install Time (CTIT) is one tell a tale sign that your campaigns and performance data are being compromised by ad fraud. It works on the basis that for each app install, there is an expected window of time in which a majority of clicks and installs occur. High volumes of traffic outside this norm point to fraud.
‍

Excessively short CTITs

A high proportion of conversions with excessively short CTITs is an indication that fraudsters are attempting to claim attribution of installs through a tactic known as click injection.
‍

In the below visualisation, we can see the normal distribution (blue) where a majority of installs occur at least 5 minutes after their corresponding ads were clicked. High proportions of installs before that 5 minute mark, would be excessively short CTIT, pointing to a fraud tactic known as click injection. The distribution for click injection with its short CTIT is represented by red in the above visualisation.
‍

How click injection works?

Click injection uses malicious apps to infiltrate a user’s Android device. These malicious apps listen for an install broadcast; which is the Android Operating System broadcasting to other apps that there is a new app being downloaded.

Whilst the new app is being downloaded, the malicious apps can trigger clicks to campaigns from the device installing the new app. In doing so, they are able to steal the attribution of an install from another traffic source.
‍
‍

Repeat offenders can be recognised quickly and then blocked at the click until their sources of click injection traffic are optimised out.
‍

Flat distribution of CTIT

The distribution of your CTITs can also uncover when you are being flooded with click spam. Click spam attempts to steal attribution on an app install that it has no association with. Click to install time analysis shows that there is no association of the install to the click with it’s flat distribution (reflected by grey installs in the above distribution diagram).
‍

How click spam works?

Click spam is a fraud tactic that sends high volumes of clicks in order to steal attribution from another traffic source.
‍

These clicks are not generated by legitimate interactions with advertising. When observing the CTIT from sources of click spam, you will see a flat distribution showing that there is no association between the install to the click.
‍

High click volumes can be generated from a variety of methods, such as ad stacking or sending impressions as clicks.
‍

Known sources of click spam can be blocked at the click preventing this traffic from reaching the measurement platform to steal attribution. Blocking at the click also keeps this traffic out of performance data to ensure more effective and faster campaign optimisation.
‍

As well as CTIT, another indicator of click spam is excessively low conversion rates. Blocking sources or sub-sources with excessively low conversion rates removes this invalid traffic from your campaign data too.
‍

For sophisticated sources that evade detection at the click level, analysis of CTIT before attribution is essential to ensure you don’t waste media spend on click spam.
‍

Fraudsters have become savvier making it harder for advertisers to recognise and block fraud.
‍

As click injection and click spamming can be recognised by analysing the correlation between the time of the click and the time of the install – the more data you have, the earlier you can detect it. TrafficGuard analyses clicks, installs and post-install activity across many advertisers. This abundance of data allows TrafficGuard to identify these types of fraud quickly and reliably.
‍

Signatures and behavioural heuristics like CTIT are just one line of defence. TrafficGuard is comprised of multiple layers of scoring, algorithms, thresholds and machine learning, applied to the click, install and post-install events. Every transaction contributes to a picture of what normal traffic looks like, as well as what fraud looks like, helping TrafficGuard to detect fraud from unknown tactics, and also finding earlier indicators of known tactics.

‍