Detection of mobile fraud—best practices

At a glance: Detect fraud using AppsFlyer and Protect360.



AppsFlyer offers its client accounts the industry’s most comprehensive real-time fraud protection, enabled by AppsFlyer’s unparalleled database of mobile devices. While all accounts enjoy basic fraud protection, accounts that have the full Protect360 package enabled, enjoy the full suite of anti-fraud protection, preventing huge accumulated damages for advertisers.

However, not all fraud can be prevented in real-time. As fraudsters become more sophisticated, they find workarounds requiring hands-on detection to discover their activities.

Protect360 provides the tools for any advertiser to detect these sophisticated methods.

The following article explains the best practices for AppsFlyer clients to detect mobile fraud and prevent further damage.

When should fraud detection methods be used?

We recommend performing these checks periodically for all client apps.

The shorter the time between periodic checks, the faster fraudulent sources can be detected and the potential damage avoided.

How can users detect fraud?

1. Dashboard overview page - Clients without Protect360 can detect suspicious sources on the single app-level using KPIs such as Loyal Users Rate and In-App Event Performance. The mentioned KPIs are naturally expected to be very low for fraudulent sources. Abnormally high uninstall rates may also be a strong indication of fraudulent traffic.

Action: Go to the Overview page and compare the different media sources and campaign data for important KPIs.

2. Protect360 - Protect360 clients can detect fraud either on the account level or on the single app level. The following detection methods can only be used by accounts with Protect360 enabled:

  • New Device Fraud
  • LAT Fraud
  • Install Hijacking
  • Click Flood

For a simple explanation of each fraud type, click here.

Account-level fraud detection using Protect360

The following instructions describe the AppsFlyer recommended method for periodic detection of fraudulent installs.

Basic Protect360 Setup

  1. From the AppsFlyer dashboard, click Protect360

  2. Click Advanced Detection
  3. Using the filter options, group by Media source + Site ID to compare all publishers of all media sources

  4. If you wish to concentrate on a specific app or apps select them on the app filter box. Otherwise, leave the default value of All apps.

  5. Use the date range selector to apply the relevant time period

  6. Click Advanced filtering Advanced_Filtering.png for additional filter options

  7. Set Min Cohort Size to omit the less significant publishers. Recommended value is 10 or more. Data updates automatically.

Perform the following detection practices only after the basic setup.

Detecting new devices fraud

Fraudsters may mask their devices by frequently resetting the main IDs of their devices - IDFA for iOS and GAID for Android. Most mobile devices are recognized by AppsFlyer since AppsFlyer’s SDK exists in over 95% of them globally.

If an install message is received from an unknown device, it is labeled as device rank N, meaning New. A high percentage of new devices is a strong indication of the occurrence of fraudulent activity by device farms unless a campaign intentionally targets new devices.

1. On the Fraud types dropdown box select Install Fraud

2. Sources located to the right of the gap on the graph or have over 60% new devices (cohort size of at least 100) are suspicious as new device fraud. With cohort size of at least 1000 devices over 40% of sources are suspicious as well.

Site IDs with 100% new devices when the majority has 0% to 20% - highly suspicious

3. For borderline sources check the loyal user rate of New Devices on the Aggregated Fraud Report. A low percentage is a strong indication of fraud.

100% new devices with substantial, yet relatively low loyal users rate - suspicious


Campaigns of pre-installed apps usually have extremely high rates of new devices, as these may be among the very first apps that users launch when activating their new devices. Therefore, for pre-installed apps, device ID reset fraud is unlikely even with high new device rates.

Detecting LAT fraud

LAT (Limited Ad Tracking) users select to opt-out of exposing their device ID, IDFA or GAID, to advertisers. Approximately 15% of iOS users and 10% of Android users take this choice.

As with the new device ranking, LAT users may be legitimate users. However, a high percentage of them could indicate fraudulent activity.

1. On the Fraud types dropdown box select Install Fraud

2. On the Distribution graph select LAT Installs.


3. Sources either located to the right of the gap on the graph or with over 40% LAT users, are suspicious as LAT fraud incidents.

4. For borderline sources, check the loyal user rate of LAT Devices on the Aggregated Fraud Report. A low percentage is a strong indication of fraud.

100% LAT devices - very suspicious
57% LAT with 62% loyal users - high % but may be legit

Detecting click flood

Using Click Flood, fraudsters send millions of clicks with real Device IDs, hoping to register as the last click for real users. Sources with this type of fraud have very low conversion rates, but high-quality users, since most of them are organic.

Since the clicks are not performed by the real installers, their CTIT is much more evenly distributed compared with normal users’ traffic.

1. On the Fraud types dropdown box select Click Flood

2. On the CTIT widget select the “Days” range. Normal user distribution should drop sharply from day to day, while even distribution is a strong indication for Click Flood.

3. Scroll down to the Aggregated Performance Fraud report

4. Click on the Over 60 minutes column once to sort in descending order.
If the Over 60 minutes value per source is higher than 50% suspect click flood.

5. For the suspicious sources check the following KPIs for abnormal values:

  • Normal Conversion Rates are between 0.5% to 35%. Abnormally low conversion rates compared with the average rate indicate click flood fraud.
  • Contribution rates that are 50% higher than the average for an app are considered suspicious. Please note that the more sources are used by an app, the higher are its Contribution rates.

Normal click distribution

Suspected click flood

Detecting install hijacking

Fraudsters install malware on mobile devices that create an alert when a download of an app occurs. Immediately thereafter, a click is sent to AppsFlyer claiming credit for the install. These hijacked installs have very short CTIT (Click To Install Time) values. Installs with the shortest CTIT are automatically blocked, but installs that take slightly longer require detection.

Clients that have the Validation rules feature enabled can configure their own CTIT threshold to automatically block fraudulent installs.

Finding the CTIT threshold

When the CTIT graph doesn't show a normal curve (see below) you should suspect fraud is in play. Abnormal CTIT graphs show a "valley", where the suspicious installs are to the left of it, and to the right starts the normal curve. This valley is where the CTIT threshold should be defined.

Placing the threshold to the right of the valley - blocks valid installs (false positives).

Placing the threshold to the left of the valley - accepts some fraud installs attribution.

1. On the CTIT graph select the Seconds range.

Normally a bell curve should peak around 40-70 seconds CTIT depending on app size, connection speed, etc. Spikes of traffic under 30 seconds are suspicious.

Normal curve

CTIT graph with a valley at 15 seconds. Notice the giant spike at 5 seconds -
Suspicious for install hijacking

2. Select Install Hijacking on the Aggregated Fraud Report.

3. Click Up to 10 seconds - sources with more than 20% are highly suspicious for install hijacking.

4. Click Over 30 seconds - sources under 70% are suspicious.

4 sites exceed 20% of up to 10 seconds CTIT and less than 70% of over 30 seconds - very suspicious

Advanced anti-fraud tips

Number of Installs

Filtering by the number of installs per checked source is important for detecting the biggest fraud sources. Additionally, a lower number of installs may not be mathematically significant.


Set Min Cohort Size to 30 or more to receive only highly reliable and significant results.

Change Loyal User Definition
The default definition for Loyal users is 3 or more launches of the app. It is an important KPI for user engagement, but unfortunately, many fraudsters know it and use it to fake high rates of loyal users, thus avoiding suspicion. Avoid being conned by creating and selecting a better, more elaborate loyal user definition.


Analyze your app's user quality KPIs such as register, tutorial completion, purchase, multiple sessions, etc. Within the app's code send a new loyal user in-app event if a user performs ALL the list of KPIs.

After the first non-organic loyal user event is sent, go to App Settings and select it to indicate loyal users for your app. Expect general loyal user rates to slightly drop and then drastically drop for fraudulent sources.

What to do when you find a suspicious source?

Most mobile frauds originate from publishers that con the ad networks too, meaning advertisers and ad networks have common interests to stop fraud.


1. Notify the network to stop sending you traffic from suspicious sources.
2. Use the raw data installs report column called Attributed Touch Time to verify that no more installs are received from the source after your request to stop it has been received.

You may also receive full or partial refunds on past traffic from suspicious sources, depending on the ad network and the significance of the fraud discovered using the AppsFlyer Protect360 tools.

Was this article helpful?