September 11, 2018
Junk Installs in the taxonomy of mobile ad fraud
“Every user that creates any kind of value has a price point” is the common mantra of user acquisition managers. For this article we focus on the most extreme long tail of the user value curve, the users whose value rounds to zero. After all, a useless user is basically an oxymoron.
The best marketers are laser-focused on eliminating this category of fraud. We call it Junk Installs, the category of install fraud that covers when there was a human-driven install but it was useless, such as install farms or incentivized ads. We distinguish this from Phantom Installs, (an install is reported by the MMP, but did not actually occur) and Organic Poaching (which covers misattribution of real installs).
Junk users, by their nature, have terrible or non-existent post-install engagement rates. We recommend mobile growth managers examine all their networks for signs of junk installs and shut down any channels that are sourcing incentivized installs or traffic from install farms.
In this article we review how you can identify and fight against install farms and incentivized installs.
Install farms are offices where workers have access to a large variety of devices and spend their day installing apps. Obviously, they never become a valuable user of your app.
One way to find install farms is to look for a large number of installs coming from a particular region or IP address. Although you may be able to catch some basic fraudsters this way, it is insufficient because more sophisticated install farms may use VPNs to spoof this information. This check is demonstrated below in Example 1.
We’ve found a better check is to look for cases where there are a large number of old device types. Procuring devices is a major expense for install farms, so they will often acquire used devices they can acquire cheaply. If you see pockets of older device types, or in some cases device types that are not common to your market, you may be buying installs from farms. We cover this in more detail in Example 2.
How to Find Fraudsters: They are so insidious they even remove their shoes and walk around the office barefoot!
Incentivized installs have found a minor niche in the app ecosystem. Less ethical marketers often turn to incentivized installs as a way of juicing their install counts.
Many marketers ask about the difference between reward traffic and incentivized installs, which are often lumped into the same category. Reward traffic generally refers to the practice of giving users an in-app reward (like custom artwork or skipping a level) in return for watching a video. Incentivized traffic will reward users for an install instead of a video view. We generally observe incentivized traffic to be on the the downswing because such traffic is mostly useless and often fraudulent. Reward traffic, however, may yield real users and is therefore more common.
How do you combat incentivized installs? If an advertiser is sending you traffic that has worse usage metrics than other channels, you should ask them to provide you additional data for sub-publisher and creative formats. If the CTR or CVR for either of these breakdowns is unusually high, that often suggests incentivized installs are the cause. We review this case in Example 3.
Unfortunately, sophisticated fraudsters have already figured out how to spoof telltale signs of junk installs (ie faking device types, using VPNs). They do tend to make one mistake that often reveals them. Most junk installs do not take the time to send out fraudulent impressions.
Therefore, you can therefore ask your networks to send all sub-publisher and impression-level data to your MMP. You can use this to back out the CTR/CVR data by sub-publisher. If you identify any abnormally high CTR/CVR rates then it may be that the sub-publisher is being used to funnel traffic for fake installs.
We can generally expect a good ad network will see a uniform distribution of IP addresses. If you break down the distribution of IP addresses and a large count of installs coming from a small number of IP addresses, then something may be screwy.
In this case, one in every six installs came from a single IP address. We investigated and it turned out the fraudsters were running a very amateurish install farm. Although the fraudsters were able to generate a lot of installs, they were not smart enough to cover their tracks and it was easy to bust them.
There may be some oddball cases where a number of installs may come from the same IP address. If a number of users share an IP address at a work or a school you may see a few agglomerations within certain IP addresses. However, this will still look more like the first graph (where the concentration grows from, say, 0.2% to 0.4% of the total) than the bottom graph (a whopping 17.2%)
Checking the OS versions from your traffic is an easy check to catch junk installs.
Comparing the distribution of OS versions among these two networks
The exact profile may vary depending on the particular market you are running in, but you should generally expect to see regular users keep their operating system somewhat up to date (blue). If a network is using a lot of old devices (yellow) they are more likely to be fraudulent.
Notice this network has a suspicious profile of OS versions. We see fewer installs from the most recent OS versions, and a disproportionate number of installs from the antiquated OS v4. It’s likely the fraudsters are buying used Android devices for very cheap, but the devices are so old they cannot upgrade to newer versions.
We noted above that install farms seldom bother to fake impressions. Generally, the installs farms will use a small number of apps they know will reliably generate an impression to take credit for installs. As a result, conversion rates for these subpublishers can be astronomical.
Conversion rates of three fraudulent subpublishers compared to the overall campaign.
If you break out conversion rates by subpublisher you can see that a handful of apps are particularly skewed. If you simply shut off traffic to these apps, the install farm will generally find new subpublishers, so it’s best to stop all traffic to that channel.
Another way of checking junk installs is to look at post-install metrics. A junk install is very unlikely to use your app in the same way as normal users. So if you see very low engagement or purchase rates then you may be the victim of an install farm.
Fraudsters are growing quite sophisticated, and their deception can run quite deep. In one case, we saw a company that was paying per install and validated their networks by making sure the purchase rate was up to standards. For one of their advertising channels, they noticed the purchase rate was fine, but something else was suspicious. Their cheapest in-app inventory item was $0.99. This created an arbitrage opportunity for fraudsters because they were charging $2.00 per install.
To combat the fraudster, they asked the ad network to continue but they quietly delisted any inventory item under $2.00. Suddenly, the traffic from the fraudulent channel dropped to zero.
By looking at spending trends stretching as far back as 2020, we can begin to understand how the industry has evolved so far and what to potentially expect for the rest of the year and beyond.
A quick quiz to determine how well you know IDFA and ad campaign performance.
The steps Moloco takes to ensure we reach the best audience for customer's campaign goals, and to make the most value of their media budget.
Talk to an expert at Moloco today. We're here to help.