How CTIT (Click to Install Time) is Used to Detect Mobile Ad Fraud

How CTIT (click to install time) is Used to Detect Mobile Ad Fraud
Reading Time: 6 minutes

CTIT is a buzzword that is gaining interest in the community of marketing and advertising professionals globally. But what exactly is CTIT (click-to-install-time) and how it is used to prevent and detect ad fraud? We take a look at this and give a (slightly) detailed explanation as to how we use a CTIT distribution model to detect and prevent click spamming and click injection. 

 

Pro-tip: CTIT distribution is completely different for click spamming vs. click injection. We’ll explain how. 

 

What is CTIT?

  • Click-to-install-time or CTIT is defined as the time interval between when the ad was first clicked, to the time when the app was first opened. Non-organic installs are only attributed after the first open. That means, if a user downloads your app and it sits idly on the background, it won’t be counted as an install until that user first opens your app under user acquisition. 
An example of a normal CTIT distribution

 

What is CTIT in Ad Fraud?

  • Generally, CTIT is ad fraud detection terms, is a pattern of distribution of click-to-install-times. CTIT distribution pattern can be used to detect ad fraud, such as click spamming (click flooding) or click injection (click hijacking). This is done through comparing an ad network’s or sub-publisher’s distribution of CTIT against normal distribution of CTIT. As we are comparing distribution to distribution, outlier CTIT data should not affect this comparison. 

 

What Does CTIT Tell Us?

  • CTIT distribution is a method to detect a fraudulent publisher, sub-publisher, affiliate or ad network, as it works through compiling all of their CTIT data across multiple installs, possible from multiple different campaigns and apps. Thus, if one sub-publisher displays an alarming CTIT distribution, that is highly incongruent to a normal distribution, it can be an indication that the sub-publisher is fraudulent, and may be grounds to block all clicks and installs from that sub-publisher. Both in real-time and after the fact. Thus, this method of detection works on the publisher level. 

 

Using CTIT to detect Click Spamming

CTIT is one data point used to detect a potential click spammer. Click Spamming is when fraudulent clicks are sent to an MMP hoping to be mistakenly attributed to a genuine organic install. This means that advertisers end up paying for what was actually an organic install. One indication of click spamming is when there abnormally long CTIT distribution, indicating that there was a lot of time from the first click, to the eventual install. The reason why this is so, is because click spammers will send the fraudulent clicks, and will have to wait for a potential (if any) organic install to occur. This could take minutes. This could take days. This could take weeks. But it cannot take months. Attribution tools have a 28 day window for which such clicks can be attributed to installs.  

 

Within a normal CTIT distribution from a genuine sub-publisher, it is expected to see some installs with a long CTIT. However, when a sub-publisher has an abnormally high incidence of installs with long CTIT this can be a strong indication of click spamming. With other potential indicators, Interceptd will block that sub-publisher and block any future clicks and installs sent from that sub-publisher, if they are deemed as a click spammer.

Additionally, any past installs that were paid for, can be disputed if a sub-publisher is deemed to be a click spammer. 

How CTIT (click to install time) is Used to Detect Mobile Ad Fraud
This is an example of a click spamming CTIT distribution.

Using CTIT to detect Click Injection

Click injection only occurs on Android devices. We will explain why below. Although click spamming and click injection are rather similar in their methodology (somewhat), their CTIT pattern differs greatly. Click injection is when fraudulent clicks are sent to the MMP immediately after a genuine paid or organic install has begun. 

 

This happens because, Android has a default function that broadcasts to all apps, whenever a new app is being downloaded. Thus, fraudsters have cottoned on to this fact, and developed trojan adware apps that look innocent, however, are designed to send fake clicks, immediately after a genuine install have begun. Due to “last-click attribution” the MMP may mistakenly attribute that genuine install to the fraudulent click, as it was the last click received. 

 

How are these fraudulent adware apps able to go undetected? These apps usually disguised as simple, yet innocent uni-functional apps, such as a flashlight, alarm clock or notepad app. Such adware apps might not seem like a rarity, however, last year alone, Google deleted over 700,000 malicious and adware apps. This adware app will most likely perform the function as described, however, also be sending fraudulent clicks, from the device to the MMP. That is click injection. 

 

As click injection tries to exploit “last-click attribution”abnormally high incidence of low CTIT is usually an indication of click injection. Again, sometimes installs can have fast CTIT. Perhaps they have fast internet, or the app in question is small in size. However, too many short CTIT does not follow a normal distribution of a non-fraudulent sub-publisher. 

 

We use a deterministic method to reject specific installs that are due to click injection. We detect click injection by comparing the google play referrer times (google play page landing time and install begin time) with first open time of the installed app. If any click occurs after those google play referrer times the install is rejected as click injection. CTIT does have some usefulness for detecting click injection, however, it is mostly beneficial educate our customers, why certain clicks and sub-publishers are rejected.  The method we use most, to catch click injection is to use google play referrer times. we can even delete the click injection part if you like.

 

This combined with other data points may indicate that a sub-publisher is fraudulent, and therefore Interceptd will block that sub-publisher and any clicks and installs sent from them. Again, this is blocking on the sub-publisher level. Additionally, like click spamming, this blocking is done in real-time (before the install) and additionally once a click injector is identified a refund can be requested from the ad network for previously paid for installs. 

 

We don’t have a strict rule-set, such as “block everything that has a CTIT comes under 5 seconds”. However, we do compare installs from the same app and campaign across different sub-publishers, to establish a normal distribution and identify any anomalies and block accordingly. 

How CTIT (click to install time) is Used to Detect Mobile Ad Fraud
An example of a CTIT distribution that is indicative of click injection

 

Some CTIT Exceptions to the Rule

The following are circumstances that might lead to abnormally high or low CTIT:

  1. Waiting to download from a secure, fast or cheaper connection. Some people will click on the install button, then press pause and wait to download at a more convenient time. This will usually be because the person might be waiting for a secure internet connection, or to use WIFI to save on mobile data charges. 
  2. An App might be buggy or too large: some apps are simply too big, or have some errors encountered. This might cause an abnormally large CTIT time, due to download issues.
  3. Have app. Don’t open. However, see and ad. Click, and then open the already installed app. Not very common, and thus this outlier affect is usually decreased in a normal distribution of CTIT. 

 

Because of such outlier circumstances, it is best not to have deterministic rules, that simply block clicks and installs based on a very rigid criteria being met. Thus, it is better to look at an overall distribution pattern of CTIT which usually will decrease the effect of outliers.

 

Final Thoughts on CTIT

One explained, CTIT can seem simple. To an extent, it is. However, it is just one of the data points, along with many others used to detect ad fraud. Another crucial point of information is that we use probabilistic and deterministic prevention. CTIT is probabilistic. This means that if we observe abnormal CTIT we do not automatically block that sub-publisher, as sometimes there are genuine reasons for this. However, machine learning does work with our proprietary algorithm to analyze this in conjunction with other data points to evaluate the sub-publishers potential fraudulence. At that point, it is either blocked or alarmed. 

 

If you’d like to see one of our friendly consultants analyze the CTIT and many other data points of your campaigns, then book free trial here. Most customers received an ROI on our ad fraud tool within the first month and are pleasantly surprised at the ease of use of our tool.