Home Mobile Google Shares Play Store Data To Stamp Out Mobile Click Injection Fraud

Google Shares Play Store Data To Stamp Out Mobile Click Injection Fraud


Google is opening up an API to stop fraudsters from stealing credit for app installs, and mobile measurement and attribution platform Tune is an early adopter.

The API, which was fully integrated into Tune’s platform Monday, enables Google to share data with partners about the exact time an app install is initiated in the Play store.

Knowing that bit of info allows attribution providers to pinpoint any fishy-looking clicks that take place between the download and the first time an app is opened, which is the point at which credit for the install is doled out.

Bad actors increasingly are trying to grab credit for app installs – organic app installs, in particular – through a practice known as click injection, primarily an Android problem, by insinuating themselves into those moments between the download and the initial open.

Android is particularly vulnerable to click injection fraud because the OS broadcasts new app-install alerts at the system level to other previously installed apps.

While those alerts are helpful for app integration and interoperability, bad actors can use malware to see when a new app is downloaded. The malware then generates fake server-side clicks from the device between when the install initiates and app is opened.

What’s insidious about this form of fraud is that it tricks developers into paying for organic installs.

“Advertisers pay for advertising, they see supposed performance, but then there’s no incremental growth of their business,” said Tune CEO Peter Hamilton.

It’s also tough to detect because it looks like the click is coming from a legit device, and that messes up analytics. App marketers are led to believe that their paid media is more effective than it is, while fraudsters take credit for installs that would have happened anyway.

Although it’s difficult to know exactly how much money is being lost to click injection, Tune reckons that it’s at least a $700 million-a-year problem with the potential to grow if left unchecked. The company estimates that click injection represents about one-third of mobile app install fraud overall.

The difference between click injection and click spamming is the precision of the operation. Spammers generate as many clicks as possible hoping that one snags credit right before an open. With injection, the fraudster knows exactly when the download is happening.


AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

“In that instant, you only need one click to get credit,” Hamilton said.

But by combining click-to-install reports at the attribution provider level that track the lag time between a click and an install with deterministic time-stamp data from Google Play, it’s possible for Tune clients like Hotels.com to suss out abnormal click behavior and block the bad ones.

Although Hotels.com is eager to spend in the paid acquisition space, said Oliver Mills, the brand’s global mobile marketing manager, “the infrastructure isn’t there to scale without fear that you are shoveling your money into a big fraud fire.”

It’s troubling to Mills that some ad networks still aren’t addressing the issue proactively, which indicates that the incentives aren’t yet aligned.

“Clearly there is a substantial portion of their clients who are happy to keep spending blindly or else the ad networks would have been forced to adapt,” he said. “Without a large scale change of mindset from advertisers, black hat methods will always prevail as the easiest way to reach those targets.”

And, the fact is, prevention is always better than treatment, Mills said, which is why it makes sense to combat click injection at the source.

Collaborating with the platforms to cut down on app-install fraud will soon become ubiquitous across the mobile attribution space, Hamilton said.

“We’re expecting that this will become an industry standard,” he said. “Everyone working together is the only way to make sure click injection isn’t a problem any of us have to deal with anymore.”

Must Read

shopping cart

Moloco Invests In Its Competitor Topsort As The Retail Media Stakes Go Up

Topsort can lean into Moloco’s algorithmic personalization, while Moloco benefits from Topsort’s footprint with local retailers in the US and in Latin America.

CDP BlueConic Acquires First-Party Data Collection Startup Jebbit

On Wednesday, customer data platform BlueConic bought Jebbit, which creates quizzes, surveys and other interactive online plugs for collecting data from customers.

Comic: The Showdown (Google vs. DOJ)

The DOJ’s Witness List For The Google Antitrust Trial Is A Who’s Who Of Advertising

The DOJ published the witness list for its upcoming antitrust trial against Google, and it reads like the online advertising industry’s answer to the Social Register.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

Why Vodafone Is Giving Out Grades For Its Creative

One way to get a handle on your brand creative is to, well, grade your homework, according to Anne Stilling, Vodafone’s global director of brands and media.

Inside The Fall Of Oracle’s Advertising Business

By now, the industry is well aware that Oracle, once the most prominent advertising data seller in market, will shut down its advertising division. What’s behind the ignominious end of Oracle Advertising?

Forget about asking for permission to collect cookies. Google will have to ask for permission to not collect them.

Criteo: The Privacy Sandbox Is NOT Ready Yet, But Could Be If Google Makes Certain Changes Soon

If Google were to shut off third-party cookies today and implement the current version of the Privacy Sandbox, publishers would see their ad revenue on Chrome tank by around 60% on average.