Fake App Installs: The Hidden War in Mobile Advertising
somewhere an advertiser just paid for a million app installs. the dashboard looks beautiful. a clean line climbing all day, a million people who tapped an ad, downloaded the app, and opened it. the cost per install came in on target, and next month’s budget gets approved on the strength of that line.
here is the quiet problem. most of those people were always going to install the app anyway. they saw it in the store, a friend mentioned it, they searched for it by name. they were on their way to download it with no ad involved at all. and at the last possible second, something stepped into the path and claimed the credit.
the advertiser paid full price for a million users they already had. that is the heart of mobile install fraud, and it is one of the strangest corners of the ad economy, because the fraud is not always about fake people. sometimes it is about real people whose actions get quietly stolen.
how an install gets paid
start with how app advertising pays. an advertiser does not just pay to show an ad. they pay when someone installs the app after seeing it, and often they keep paying for what that person does next.
so the chain has stages. an ad is shown. someone taps it. the app store opens. the app installs. the person opens it, signs up, maybe buys something. each of those later actions can carry its own payment, because a user who actually spends money is worth far more than one who installs and vanishes.
that means every install, and every action after it, is a number that triggers a payout. this model exists for a good reason. advertisers got tired of paying for views and clicks that led nowhere, so they pushed the payment toward things that look like real outcomes. the trouble is that solid looking outcomes are also the most valuable ones to counterfeit.
the attribution question
here is the part that makes mobile different. when an install happens, the system has to decide who gets the credit. there might be five different ad networks all showing ads for the same app. when the install finally lands, which one earned it.
answering that is called attribution, handled by a neutral middle layer, a measurement company that sits between the advertiser and all the networks. its job is to look at the install and say, this person touched that network’s ad last, so that network gets paid.
the most common rule is simple. credit goes to the last ad the person touched before installing. last click wins. it sounds fair, and for honest traffic it mostly is. but that one rule is the seam almost all of this fraud pries open.
stealing the last click
think about what last click wins actually rewards. it does not reward the network that convinced you. it rewards whoever was standing closest to the install at the moment it happened. that is a position someone can fight to occupy without convincing anyone of anything.
so the central idea of attribution fraud is not to create installs. it is to make sure that whenever an install happens, for any reason, your fingerprints are the last ones on it. the measurement layer is looking for a click followed by an install. the fraud’s whole job is to manufacture that click, position it right before the install, and let the real user do the actual downloading.
click flooding
the bluntest way to do that is click flooding. the idea is to fire an enormous volume of fake clicks across a huge number of devices, hoping that some of those devices were going to install the app on their own.
think of it as spraying clicks across a crowd. for the vast majority of people the click is wasted, because they never install anything. but for the small slice already on their way to downloading that app, the records happen to show a recent click. when the real install lands, that click was the last one before it. last click wins, and they collect.
what makes click flooding catchable is that it ignores the actual user. there is no real relationship between the click and the install. that shows up in the timing. for a genuine ad, the gap between the tap and the finished install falls in a fairly natural band, a couple of minutes while the store opens and the download runs. click flooding produces a wild spread instead, with installs landing hours or days after the supposed click. it shows up in conversion too. a network sending millions of clicks but earning credit for almost none of them behaves nothing like a real ad source.
click injection
the more precise version is click injection, the same theft done with much better timing. instead of spraying and hoping, it waits to detect that an install is actually starting on a specific device, and inserts its fake click into that exact moment.
on a phone, other software can sometimes notice when a new app is in the middle of installing. an operation positioned to see that signal can fire its click in the narrow window after the download begins but before it finishes. the click lands a few seconds before completion, which to the measurement layer looks like the most convincing case of all, a tap immediately followed by an install.
ironically, injection is often easier to catch than flooding, precisely because it is so well timed. real users do not install apps in seconds. a network whose clicks consistently arrive in the final breath before completion, with almost no natural variation, shows a pattern human behavior never produces. so the same signal catches both. flooding shows gaps far too long and random. injection shows gaps far too short and consistent. honest traffic sits in the messy, human middle.
fake installs
then there is the most direct fraud, where the install itself is fake. no real user is involved. it is produced by a machine, either a rack of real phones run as a farm, or software emulating phones that do not physically exist.
device farms use real handsets, installing apps, opening them, then wiping and doing it again. emulators skip the hardware and pretend to be thousands of phones in software on one server. the more sophisticated ones go further, faking the actions after the install too, the sign ups and in app events that carry the bigger payouts.
emulators tend to leave traces. a software phone often gets small things wrong about the hardware it claims to be, sensors reporting impossible values, a device model that does not match, a graphics signature that belongs to a server. device farms are harder because the phones are real, but scale betrays them. thousands of devices on the same narrow range of network addresses, the same handful of models, freshly reset over and over with no history. and then there is behavior. fake installs tend to open the app once to register, then go silent, or perform a flat scripted imitation of use that looks nothing like a real person.
how detection actually works
put the defensive side together and it comes down to a few questions asked of every install. how long was the gap between the click and the install. does this device look like real hardware. does the network behave like real users. and what did the person do after they opened the app.
none of these is perfect alone. a clever operation can beat any single check. but beating all of them at once, on every install, at the scale that makes fraud worth running, is genuinely hard. the more convincing each fake has to be, the more it costs to produce, and the thinner the profit gets. the measurement layer is, in the end, just trying to answer one question for every payout. was there a real person here who a real ad actually moved.
the rule underneath all of it
the reason mobile install fraud is so stubborn is that the best version hides inside real activity. flooding and injection do not invent users out of nothing. they attach to genuine installs that were always going to happen and skim the payment. you are not hunting for a counterfeit. you are trying to prove a real event was credited to the wrong source, which is a much subtler thing to catch.
step back and the specific tricks matter less than the shape they share. an advertiser wanted to pay for results instead of guesses, so they tied their money to a number. but the moment a number triggers a payment, that number stops being a neutral fact and becomes a target. wherever a counted event triggers a payout, the count itself becomes the thing to fake. the install was just one more number that paid, so someone built a machine to produce it.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.