What is Click Injection?

Click injection is a technique for achieving last-click attribution in CPI campaigns. It is triggered on Android phones when an attacker includes application code that uses the Android “Install Broadcast” feature to monitor new installations on a user’s device continually. The publisher can send false or fake clicks just prior to billable post-install events based on this information. These clicks are not sent prior to installation (such as spamming) but immediately after the actual installation begins. This goal is for the MMP to see the last rogue click (since the rogue click is sent after the genuine install has started) and therefore mistakenly attribute the installation to the rogue click instead.

Click injection damages

Click injection creates a negative cycle in which the advertiser continues to pay someone else for users they would have acquired in the normal way (or at least through other marketing channels). It grabs organic traffic, tags it without the user’s knowledge, and then demands credit for it. This spoils the accuracy of the marketer’s data and interferes with making accurate decisions.

Mobile ad fraud has been particularly active in recent years. One serious scam involved an ad scheme that cost Google and its partners approximately $10 million in losses, while the scammers were making up to $75 million a year from fake ads. It can be assumed that the total damage from ad fraud could be in the billions. Trend Micro MARS also reported 1,088 apps containing a fraudulent SDK. Those found on Google Play have already been disabled, but they’ve already caused significant damage – these apps have been installed 120,293,130 times.

Detecting click injection

Click spam is massive, and mobile measurement partners are doing everything they can to protect customers from these attacks. This can be done by looking at the click distribution because click-through spam sources cannot behave the same way as real traffic. To detect click injection, mobile measurement partners or companies need to track the timestamps of when the user started the install and when the install is complete on the device.

By having access to this information, we can prove that the user’s intent to establish arose prior to filing a fraudulent claim. This way, these claims can be detected prior to attribution, which means ad spending is protected from click injection fraud. Users can take their time to install and open the app, which means that even with the introduction of a click, the time that the user opens the app may be out of bounds.

Defending of ad fraud

While these are the most common types of ad fraud, the targets are always changing, and new forms of digital fraud are emerging almost daily. And since this practice is not prohibited by law, it can be very difficult to minimize or even become aware of your exposure to ad fraud. There are several things you can do to restrict access to these potentially expensive methods. Some things you can do with your campaign of PPC; others will involve paid services. Depending on the potential gain or loss, you can weigh what is best for your business.

Conclusion

Scammers are always looking for more sophisticated ways to steal an advertiser’s budget, so choosing a reliable mobile scoring partner to combat these attacks actively is essential. When choosing a partner, make sure that you are protected from all types of mobile ad frauds or click injections and that they can explain how their protection or prevention systems are sufficient to prevent fraudsters from stealing your ad spend. It would help if you also considered the consequences of SDK spoofing and how your MMP plans to protect you from this increasingly prevalent threat.