Best Practices for Detection of Mobile Fraud


All AppsFlyer client accounts enjoy the industry’s most comprehensive real-time fraud protection, enabled by AppsFlyer’s unparalleled data base of mobile devices. Thousands of fraud installs are blocked at the time of installation daily, preventing huge accumulated damage for advertisers.

However, not all fraud can be prevented in real-time.  As fraudsters become more sophisticated, they find workarounds requiring hands-on detection to discover their activities.

The Protect360 provides the tools for any advertiser to detect these sophisticated methods.

The following explains the best practices for AppsFlyer's clients to detect mobile fraud and prevent further damage.

When Should Fraud Detection Methods be Used?

We recommend performing these checks periodically for all client apps.

The shorter the time between periodic checks, the faster fraudulent sources can be blocked and the potential damage avoided.

What Should Be Done for Each App During Fraud Detection?

  • Dashboard Insights -  KPIs such as Loyal Users Rate and In-App Event Performance are naturally expected to be very low for fraudulent sources. Abnormally high uninstall rates may also be a strong indication for fraudulent traffic.

    Action: Go to the Overview page and compare the different media sources and campaigns data for important KPIs.  
  • Protect360 - The following methods can only be used by accounts with Protect360 enabled:
    • Detect New Devices Fraud
    • Detect LAT Fraud
    • Detect Install Hijacking
    • Detect Click Flooding

For a simple explanation of each fraud type, click here.

Set out below are the instructions for each fraud detection step:

How to Check Each App for Fraud?

  1. From the AppsFlyer dashboard, click Protect360

  2. Using the filter options, group by Media source + Site ID to compare all publishers of all media sources

  3. Use the date range selector to apply relevant time period

  4. Click Advanced filtering Advanced_Filtering.png for additional filter options

  5. Set Min Cohort Size to omit the less significant publishers. Recommended value is 10 or more. Data updates automatically.

How to Detect New Devices Fraud?

Fraudsters may mask their devices by frequently resetting their main IDs of their devices - IDFA for iOS and GAID for Android.  Since AppsFlyer’s SDK exists six times on average in every smartphone, over 95% of mobile devices are recognized by AppsFlyer. If an install message is received from an unknown device, it is labeled as device rank N, meaning New.  A high percentage of new devices is a strong indication of the occurrence of fraudulent activity, unless a campaign intentionally targets new devices.

1. On the Distribution graph select New Device Installs.

2. Sources located to the right of the gap on the graph or have over 80% are suspicious as new device fraud.

100% of new devices vs. the majority with 10% to 30% - highly suspicious

3. For borderline sources check the loyal users rate of New Devices on the Aggregated Fraud Report. A low percentage is a strong indication of fraud.

100% new devices with substantial, yet relatively low loyal users rate - suspicious

How to Detect LAT Fraud?

LAT (Limited Ad Tracking) users select to opt out of exposing their device IDFA to advertisers. Approximately 15% of iOS users and 10% of Android users take this choice. Similar to new device ranking, LAT users may be legitimate users, but may also be fraud devices.

1. On the Distribution graph select LAT Installs.

2. Sources either located to the right of the gap on the graph or with over 80% LAT users, are suspicious as LAT fraud incidents.


3. For borderline sources, check the loyal users rate of LAT Devices on the Aggregated Fraud Report. A low percentage is a strong indication of fraud.

100% LAT devices - very suspicious
57% LAT with 62% loyal users - high % but may be legit

How to Detect Install Hijacking?

Fraudsters install malware on mobile devices that create an alert when a download of an app occurs.  Immediately thereafter, a click is sent to AppsFlyer claiming credit for the install. These hijacked installs have very short CTIT (Click To Install Time) values. Installs with the shortest CTIT are automatically blocked, but installs that take slightly longer require detection.

1. On the CTIT graph select the Seconds range.

Normally a bell curve should peak around 40-70 seconds CTIT depending on app size, connection speed etc. Spikes of traffic under 30 seconds are suspicious.

Normal distribution

Giant spike at 5 seconds or less installs - Suspicious for install hijacking

2. Select Install Hijacking on the Aggregated Fraud Report.

3. Click Up to 10 seconds - sources with more than 20% are highly suspicious for install hijacking.

4. Click Over 30 seconds - sources under 70% are suspicious.

4 sites exceed 20% of up to 10 seconds CTIT and less than 70% of over 30 seconds - very suspicious

How to Detect Click Flooding?

Using Click Flooding, fraudsters send millions of clicks with real Device IDs, hoping to register as the last click for real users. Sources with this type of fraud have very low conversion rates, but high quality users, since most of them are organic. Their CTIT is much more evenly spread than normal users’ traffic.

1. On the CTIT widget select “Days” range. Day 7 users should be less than 1% of day 1 users.

2. For the Aggregated Fraud Report select Click Flood
3. Check the table’s KPIs for abnormal values:

  • Normal Conversion Rates are between 1% to 35%. Abnormally low conversion rates compared with the average rate indicate click flood fraud.
  • Normally less than 35% of users finish installing more than 60 minutes after the click. If the Over 60 minutes value per source is higher than 50% there is a suspicion of click flood.
  • Contribution rates which are 50% higher than the average for an app are considered suspicious. Please note that the more sources are used by an app, the higher are its Contribution rates. 

Normal click distribution

Suspected click flood

Advanced Anti Fraud Tips

Number of Installs

Filtering by the number of installs per checked source is important for detecting the biggest fraud sources. Additionally, lower number of installs may not be mathematically significant.


Set Min Cohort Size to 30 or more to receive only highly reliable and significant results.

Change Loyal User Definition
The default definition for Loyal users is 3 or more launches of the app. It is an important KPI for user engagement, but unfortunately many fraudsters know it and use it to fake high rates of loyal users, thus avoiding suspicion. Avoid being conned by creating and selecting a better, more elaborate loyal user definition.


Analyze your app's user quality KPIs such as register, tutorial completion, purchase, multiple sessions etc. Within the app's code send a new loyal user in app event if a user performs ALL the list of KPIs.  

After the first non-organic loyal user event is sent, go to App Settings and select it to indicate loyal users for your app.  Expect general loyal user rates to slightly drop and then drastically drop for fraudulent sources.

What To Do When you Find a Suspicious Source
Most mobile frauds originate from publishers that con the ad networks too, meaning advertisers and ad networks have similar interests to stop this.


1. Notify the network to stop sending you traffic from the suspicious sources.
2. Use the raw data installs report column called Attributed Touch Time to verify that no more installs are received from the source after your request to stop it has been received.

You may also receive full or partial refunds on past traffic from suspicious sources, depending on the ad network and the significance of the fraud discovered using AppsFlyer’s Protect360 tools.
Was this article helpful?
0 out of 0 found this helpful