Interviews, insight & analysis on digital media & marketing

Performance fraud, unpacked

Paid content

By Tom Armstrong, Corporate Sales Manager, Impact EMEA

Performance fraud never goes away, and it targets both web and mobile environments. On the web, the malicious scheming of unseen villains has forced us to coin terms such as click spoofing and toolbar injection, as well as strategies to combat such activities.

In mobile, where we tend to assume the environment is a more controlled one, the danger of performance fraud is actually every bit as great, and it takes distinctive forms, focusing essentially on install attribution fraud and install fraud.

What is it? How does it work? What does it look like?

Knowledge is power, so here’s our guide to the most common forms of performance fraud afflicting the mobile advertising ecosystem.

Install attribution fraud

When unscrupulous partners exploit advertisers’ cost-per-install (CPI) campaigns by stealing or fabricating credit and then collecting revenue for driving an app install, it is known as install attribution fraud. We identify four main techniques:

Click flooding

By hijacking a user’s phone, a malicious publisher can trigger fake clicks for hundreds of legitimate app ads without the user knowing. This is click flooding, and the clicks are intended to game advertisers’ CPI attribution models by attributing credit for any subsequent app install to the unscrupulous hijacker – even though he provided no value in driving the install.

Click injection

Click injection is an Android-only scam in which a bad actor plants code that continuously monitors a user’s device for new installs. Based on this information, the publisher can send fake clicks just before payable post-install events occur, in order to snatch unearned last-click attribution in CPI campaigns.

Click spoofing

When advertisers rely on their affiliate publishers to self-report mobile click events server-side, click spoofing can occur. This is when a publisher triggers a “spoof” mobile click-tracking event in the absence of a legitimate click, claiming attribution for organic installs or installs driven by other legitimate partners.


One more method of corrupting install attribution models, malvertising is the practice of using ads injected with malicious code to send users to app store pages without their consent. Not only do the often-innocent publishers who inadvertently host this malvertising suffer for providing poor user experience, but the malicious party may later claim credit for any future app install.

Install fraud

Bad actors game advertisers’ CPI campaigns by collecting revenue for driving suspicious app installs where installers have no intention of actually using the app. This is called install fraud, and here are the most common strategies:

Install farms

Install farms employ hundreds of low-cost workers with real phones to install the apps of advertisers who reward partners on a CPI basis.

Device ID reset marathons

Device ID reset marathons effectively industrialise fake installs by resetting the device ID of an install farm worker between each app download – to give the impression that the installs are happening across many different devices, instead of just one in the hands of a fraudster.

Inauthentic engagement

If post-install engagement constitutes an advertiser’s payable event, malicious publishers may use paid human engagement farms or scripted retention to enact or automate it and then claim credit. For example, a bad actor may navigate past a certain level in a game to simulate authentic user engagement.

Incentivized traffic

Some affiliates incentivise installs by sharing their commissions with end users via benefits such as rebates, social gaming credits or donations to causes. When this incentivised traffic is unlabelled or mislabelled as non-incentivised traffic, it fraudulently collects a higher CPI pay-out than it is actually worth to the advertiser.

Proxy tunneling

Proxy tunneling occurs when a malicious app, installed across many mobile devices, installs malware that effectively converts that network into a mobile botnet. The botnet is in turn remotely controlled by a botnet operator, which can leverage the hijacked IP of the device to mask the location of the operator, while committing install fraud on a large scale.