The Mobile UA Fraud Playbook: How Operators Detect Emulator Farms, Click Injection and Fake Installs
Mobile ad fraud is not an edge case; on open programmatic exchanges it is a line item. Industry estimates consistently place invalid traffic in the double-digit percentage range of app-install spend, and the fraud is designed to look exactly like the KPI you optimize for. This is the detection playbook we'd hand any UA team.
Know the four dominant schemes
Emulator and device farms. Hundreds of virtual or physical devices generating installs, opens, and even early-funnel events. The tell is uniformity: identical device models clustering on one sub-publisher, sequential-looking device parameters, GPU/sensor fingerprints that don't match claimed hardware, and time-zone or language settings inconsistent with the geo.
Click injection. Malware on real devices fires a click the moment a legitimate install begins, stealing attribution from the channel that actually earned it. The signature is impossibly short click-to-install time (CTIT) — installs attributed seconds after the click. Any source with a CTIT distribution spiking under ~10 seconds is stealing, not driving, installs.
Click spam / click flooding. Networks fire massive volumes of fake clicks hoping to win last-click attribution on organic installs. The mirror image of injection: abnormally long and flat CTIT distributions, very low click-to-install conversion rates, and a suspicious lift in "attributed" installs that tracks your organic baseline.
Incentivized and misattributed junk. Real humans, worthless intent — users paid or misled into installing. Looks clean at the install level, collapses at retention: D1 retention a fraction of your organic benchmark and near-zero deep-funnel events.
The detection stack, in order of leverage
- CTIT distribution analysis. The single highest-value fraud report. Pull click-to-install time curves per source and sub-publisher. Healthy traffic forms a log-normal hump over minutes-to-hours; injection spikes at seconds; spam drags a long flat tail.
- Retention-curve comparison. Plot D1/D7/D30 per source against your organic curve. Fraudulent cohorts don't decay like humans — they cliff. A source at half your organic D1 with flat D7 is buying you spreadsheet rows, not users.
- Device integrity signals. Google Play Integrity API (and App Attest on iOS) verdicts flag emulators, rooted devices and tampered clients at the platform level. Commercial device-fingerprinting layers add cross-app history: a "new" device seen resetting its ID 40 times is not new.
- New-device-rate and IP anomalies. Sources delivering implausible shares of never-before-seen device IDs, or clusters resolving to data-center IP ranges, are farms by definition.
- Sub-publisher granularity. Fraud hides in aggregates. A network can look acceptable overall while three sub-publishers supply all the junk. Demand transparency and blacklist at the sub-publisher level, or assume the network's average is laundering its worst suppliers.
Process beats tools
Run a weekly fraud review with three artifacts: CTIT curves by source, retention curves by source versus organic, and a rejected-install report from your MMP. Negotiate contracts with fraud clawback clauses before scaling a new channel — post-hoc refund conversations without contractual teeth recover pennies. And re-baseline quarterly: fraud adapts to whatever KPI you pay on. When you start optimizing to D7 events, the farms start faking D7 events; the arms race is the job.
Frequently asked questions
What percentage of mobile ad installs are fraudulent?
Estimates vary by channel and region, but industry studies consistently place mobile install fraud in the range of 10–30% of paid installs on open exchange and affiliate traffic, with much lower rates on self-attributing networks like Meta and Google. Emerging-market reward and OEM traffic skews highest.
What is click injection and how do I detect it?
Click injection is when malware on a user's device fires an ad click the instant an app install begins, stealing attribution for an install another channel or organic demand actually drove. Detect it with click-to-install time (CTIT) analysis: attributed installs with CTIT under roughly 10–15 seconds are physically implausible and indicate injection.
Are installs from emulators always fraud?
For consumer app UA, effectively yes — a paid install from an emulated device will never become a monetizing user. Platform integrity APIs (Google Play Integrity, Apple App Attest) flag emulators reliably, and sources with elevated emulator rates should be blacklisted at the sub-publisher level.
Which tools help detect mobile UA fraud?
Start with your MMP's fraud suite (AppsFlyer Protect360, Adjust Fraud Prevention, Singular Fraud Prevention), add platform integrity signals (Google Play Integrity API, App Attest), and for high-spend operations layer commercial device fingerprinting to catch ID-reset abuse across apps.