Ad fraud on mobile


On December 10th, AppLift, in conjunction with ad fraud detection company Forensiq, released a report that surfaced some worrying information about advertising fraud on mobile:

  • 34 percent of all mobile traffic is at risk of fraud (with 12 percent being at high risk of fraud, although the study doesn’t distinguish the difference between “at risk” and “at high risk”);
  • CPM campaigns are three times more likely to experience fraudulent clicks than CPC campaigns (which are ten times more likely to experience fraudulent clicks than CPI campaigns);
  • There is no significant difference in ad fraud rates between iOS (33%) and Android (35%) (ie. no way to alleviate the risk by focusing on one platform vs. another).

The report makes for an interesting read, as it breaks down the different types of ad fraud an advertiser might confront into two tactical buckets (technical fraud and compliance fraud) and details the different approaches taken by fraudsters in each.

Mobile fraud is obviously a concern for mobile advertisers: mobile programmatic ad spending in the US will reach $8.36BN in 2016 (surpassing desktop), and Forensiq estimates that the loss to advertisers resulting from fraudulent mobile clicks could total $1BN this year. In a different study, mobile analytics firm Apsalar found that, globally, 2.57 fraudulent clicks could be expected per legitimate click leading to a mobile app install.


In an interview about the study it released, AppLift’s CEO states that one of the tools advertisers have in combating ad fraud on mobile is the ability to optimize campaigns based on clicks and in-app activity — ie. cutting spending on campaigns that don’t result in installs and / or actions in the app, since bots and other non-human traffic can’t emulate those. While this is true, it also somewhat shifts the burden of battling fraud to the advertiser, when it is the ad networks that should carry that responsibility, since they facilitate the transaction. It’s also not completely fool-proof: assuming fraudulent clicks are somewhat evenly distributed across publishers’ apps (which, to be fair, might not be a valid assumption), optimization algorithms that target in-app activity might not be able to meaningfully and reliably sort traffic sources into “good” and “bad” buckets.

One extremely problematic manifestation of ad fraud comes in the form of app hijacking, which Forensiq highlighted this summer: certain apps run multiple instances of ad placements (up to 20 per minute) and can even simulate clicks on those ad placements, confounding the optimization approach detailed above. These apps can even run ad impressions while they’re minimized in the background, accumulating a massive number of impressions / clicks and also draining a user’s battery and consuming data in the process. In one simulation, Forensiq found that over the course of 24 hours, a malicious app was able to download 2GB of images and video from ads:


Another tool that advertisers have in combating ad fraud (or at least not suffering financially from it) takes shape in their ability to negotiate terms of insertion orders with networks. Advertisers should explicitly exclude “disqualified conversions”  (or app installs that weren’t generated by humans, according to the targeting and ad type parameters defined in the IO) from their payment terms. This of course again places the burden of proof on the advertisers, but it also gives them a mechanism for avoiding payment on fraudulent installs.