arrow left facebook twitter linkedin medium menu play circle

Digital Fraud Wiki

Your source for the latest fraud intelligence, insights, research, and commentary.

App Install Fraud

What is App Install Fraud?

App Install fraud is when fraudsters engage in generating fake downloads and installs using automated tools or cheap human labor. There are many victims of app install fraud app. These include everyone from app customers who unwittingly download fake apps that subsequently get hijacked for malicious purposes, to marketers unknowingly paying out millions of dollars in ad spend for installs that are not legitimate.

Recent studies predict the continuation of massive growth in app install spend—upwards of $64 billion by 2020. Current estimates vary as to the percentage of this spend that will be impacted by fraud, but as reported by Inc. magazine, it’s likely to be around 25%. This represents overwhelming opportunity for fraudsters who are growing increasingly adept at using sophisticated techniques to circumvent detection and scale their malicious operations. 

What Should Companies Know About App Install Fraud?

Research and analysis from DataVisor indicate that 26% of app install fraud comes from Device ID Reset fraud. In these instances, fraudsters create massive “farms” of mobile devices that are used to leverage ad networks and install apps numerous times to receive significant payouts from advertisers. Resetting device IDs enables fraudsters to bypass fingerprinting detections and give the appearance that each app install is from a new mobile phone. 

Other techniques include: 

Device Emulators: A device emulator mirrors every aspect of the original device’s behavior, both for hardware and software. It simulates all of the hardware used by the real device, enabling the same app to run on it unmodified. Fraudsters use these devices to download and install high volumes of apps, creating the illusion that the installs are from new devices and legitimate users.

Install farms:  App install farms are real physical locations that hire financially vulnerable workers from regions with low labor costs to install and engage with apps. These “farms” make it possible for scammers to operate at scale by generating activity that emulates legitimate users such as downloading and installing apps, clicking on mobile ads, opening apps, interacting with apps, resetting Device IDs, and changing IP addresses. 

Click Injection Apps: Some fraudsters create malicious apps which are published on multiple app stores. Once a malicious app is downloaded and installed, it generates fake clicks that appear to originate from the website of the malicious publisher. The malicious app detects when other apps are downloaded on the device, and then injects clicks after the downloaded is completed, but before the app is installed. These click injections allow fraudsters to receive credit and payment based on fraudulent installs. 

How to Prevent App Install Fraud

The only way fraudsters can monetize fraud of this type is to operate at scale. The ability to do so is a critical advantage for fraudsters, but it’s also what allows us to detect and neutralize their efforts.

To operate at this kind of scale requires coordination across a wide array of geos, devices, systems, users, accounts, and more. A sophisticated fraud management solution, such as DataVisor’s dCube can expose the actions and actors behind this coordinated activity. dCube empowers organizations to go beyond individual incident review to enable holistic data analysis. By viewing users, accounts, and activities as a whole rather than individually, the system can unearth correlated patterns that reveal coordinated activity and expose the connections between seemingly disparate accounts and actions. Drawing on the power of proprietary unsupervised machine learning algorithms, companies can discover clusters of linked accounts and make bulk decisions to save time, without the need for training or labeling data. In this way, organizations can prevent app install fraud before money is lost to app install fraud.