Mobile use and mobile fraud are both on the rise in a big way. According to Statistica, “In 2024, consumers are projected to spend almost $171 billion on purchases from public app stores (Google Play and Apple’s App Store). The huge increase in consumer mobile app usage over the past 12 months has been met with an even more dramatic increase in mobile fraud, as cyber-criminals rush to capitalize on the huge amounts of money flowing through mobile apps (by way of e-Commerce purchases in retail/shopping apps, mobile gaming, mobile advertising, mobile banking and money transfer apps and more).
Fraudsters have taken notice and are doubling down their resources and focusing their attacks squarely on mobile apps to divert as many of those dollars into their own pockets as possible. One of their favorite ways to cash-in is Mobile Click Fraud. A recent study by ClickCease estimated that mobile click fraud costs advertisers and publishers over $24 billion, and that figure is up 64% from last year. The problem has become so pervasive that the Interactive Advertising Bureau (IAB) says “click fraud has never been a bigger threat to the mobile industry.“ Estimates vary, but they indicate that up to 50 percent of all publisher traffic is from malicious bots. In mobile games, click fraud manifests itself in the form of cheating tools that simulate and automate game maneuvers and actions for the purpose of gaining an advantage in the game, a.k.a. speed hacking.
No matter how you slice and dice this number, there’s no question that mobile click fraud is a huge problem facing any mobile advertiser, publisher or studio, as well as all their customers, gamers and users. In the world of mobile click-fraud, everyone loses (except for the fraudsters).
What Is Click Fraud?
Click fraud is a type of digital fraud that occurs in online pay-per-click (PPC) advertising. In this type of advertising, the owners of apps who display mobile ads to their users get paid based on how many people click on the ads, presumably as an indication of genuine interest in a product or service. Click fraud occurs whenever there are fake or illegitimate clicks, either as an attempt to take credit for a successful action that it had no part in (eg: taking credit for app installs via click injection) or by generating completely fabricated clicks, for which there is no actual intent or interest in the product or service. In all cases, the motivation for click fraud is money – where the fraudster attempts to take a cut out of the advertising revenue that it did not rightfully earn.
There are many different methods and techniques that fraudsters use to generate fake clicks. Most of the time, click fraud is accomplished via automated programs (scripts or bots), sometimes in very high volumes (as in click spamming), and sometimes at strategic, well timed points in the engagement process, usually acting on information the fraudster obtains by spying on user activity (such as in click injection). Below is a list of some of the top click fraud methods used in mobile ad fraud and mobile game cheating:
The Top 7 Click Fraud Methods
Click bots are automated software programs or scripts that are specifically crafted to generate large volumes of invalid clicks – for instance, to simulate humans clicking on an ad, or to cheat in mobile games by overwhelming a target or gaining an advantage in the game.
Click Spamming / Click Flooding
A click flooding network sends large numbers of fraudulent click reports in the hopes that one of them will be credited with attribution for a user action which results in an ad payment (such the final click right before the user makes a purchase or clicks on a video advertisement).
Click Injection / CTIT Anomaly
Here, a fake app creates simulated clicks at a very precise time when the user is installing a real app, in an attempt to take credit for the install (and get paid for the fake ‘attribution’). This is sometimes achieved with the help of an Android app installed on the device which runs in the background and listens for ‘broadcast’ messages which occur whenever the user downloads or installs new apps on their device (this is how the fraudulent app knows when to generate fake clicks). The fraudster then triggers their own flood of fake clicks at the very last second, just before the real app install completes and takes credit for the install.
SDK Spoofing and App Spoofing
In this type of ad fraud, the goal of the attacker is to pretend that they are either a legitimate app publisher or a legitimate SDK inside an app publisher’s app. Then they use any number of techniques to redirect traffic to the fake app or SDK and rack up fake/fraudulent clicks which they then get paid for. Fraudsters sometimes achieve this using automated bots and/or other types of malware embedded inside mobile apps which masquerade as legitimate SDKs. The malware is sometimes hidden, dormant, or obfuscated so that the app passes Google/Apple’s security and app store checks. Once the malicious rogue SDK is integrated into a mobile app, the malware inside the app comes to life and starts performing its intended malicious function (for example, using an auto-clicker to generate fake clicks on ads, flooding an ad network with fake clicks in an effort to take credit for ad impressions. All of this fraudulent activity diverts attribution revenue away from legitimate publishers and into the pockets of the fraudsters).
Auto-Clickers and Speed Clickers
These clickers automate high volume, repetitive click actions typically for cheating in games in which rapid-fire actions earn game value or points. These types of automated programs are also used in mobile ad fraud during click injection attacks or to generate a large number of fake clicks on an advertisement in a very short period of time.
These tools automate multiple actions or a long series/sequence of actions in a single mouse click. They are often used to cheat in mobile games or to imitate human behaviors in a more ‘realistic’ manner than brute force speed clickers (eg: for example, instead of brute-force clicking a ‘buy me’ button 1000 times, the bot would instead try to imitate the behavior that an actual human may take when browsing online….such as browsing the site, interacting with other content or links, clicking on a product description or spec, and THEN clicking the ‘buy me’ button.
Abusing Accessibility Services
Accessibility services are designed to help users with disabilities. They run in the background and receive callbacks by the system when accessibility events are fired, making them capable of reacting to a state transition in the UI (eg: focus has changed, a button was clicked, or content in the active window was queried). These services also typically run with a higher level of administrate privilege. For this reason, Accessibility Services are often targeted by fraudsters to exploit. When abused, they are used to perform click actions (either to commit click-fraud or to cheat in mobile games), read and write SMS messages and emails, intercept and read Two-Factor Authentication codes, steal cryptocurrency keys, and more.
Recommendations to Mobile App Developers
The best defense against mobile fraud is to prevent it from occurring in the first place. Appdome’s No Code Mobile Fraud Prevention offers developers, publishers and studios an easy way to stop mobile fraud at the source. Using Appdome’s no-code technology, developers or fraud specialists can build pre-emptive and defensive protections into any mobile app in minutes, which equips the app with the intelligence it needs to prevent fraud from occurring.
Give Appdome a try today. Get started at https://fusion.appdome.com