Protect360 is an AppsFlyer premium feature, which helps marketers to block and detect three main types of fraud:
|Device-Based Install Fraud||The detection of fraud hiding behind DeviceID reset fraud, Limit Ad Tracking and high concentrations of devices with suspicious engagement profiles.|
|Click Flooding||The sending of large numbers of fraudulent clicks, trying to gain credit and payment for both organic and non-organic installs.|
|Install Hijacking||The use of malware to send fraudulent clicks during the install process.|
The Protect360 Dashboard contains details of all blocked fraudulent activities under the Blocked tab, and detection data for suspected fraudulent sources under the Advanced Detection tab.
Data in the Protect360 dashboard can be filtered by App Name, Media Source, Geo and Grouped by.
Data in the Protect360 Dashboard is calculated daily. The dashboard displays up and until when the data was last updated, as follows:
The dashboard is visible to media sources, if the advertisers permit the source to access it. The blocked fraud raw data reports with the media sources data are available to them regardless of permissions.
The Blocked section of the dashboard provides you with aggregated data on the events blocked by Protect360, including clicks, installs and in-app events.
It has the Estimated Savings, Clicks, installs and in-app events widgets, as well as the Blocked Activity table.
Account Level Protect360
You can filter the data in the Protect360 dashboard at Account Level. App level reporting shows only a fraction of the blocked activities, whereas Account level shows a much higher number of blocked activities. This allows you to analyze your data and receive much broader insights of the activity taking place and the savings made from blocked activity.
Click on the dropdown option to view all the apps in the account.
The Installs widget shows the total blocked installs for all the apps under the account. The Estimated Savings widget displays the aggregated total for all apps too.
Estimated Savings Widget
How much money does Protect360 save you from paying to fraud?
The Estimated Savings widget shows you an approximation of this amount based on the number of blocked installs and the relevant eCPI.
How is this calculated?
For each source we use the following formula:
number of blocked installs X eCPI = Estimated Savings
For networks that support sharing cost data you get an accurate estimation of the savings.
For networks that don't support that AppsFlyer uses the average eCPI coming from the entire group of verified installs from all sources that have cost data. In case your app still has no source with cost data you are prompted to enter an estimated eCPI manually when you enter the dashboard.
- The Estimated Savings widget is not automatically activated. Contact your CSM to activate this widget.
- Media sources granted access to the Protect360 from the advertiser are unable to see any estimated savings data.
The Clicks widget displays the number of clicks that are blocked by Protect360 due to IP filtering, i.e. clicks that originate from IP addresses that are in AppsFlyer's IP blacklist.
Protect360 prevents attribution to these fraudulent clicks, and restores the attribution to the correct sources of these valid installs.
Installs and In-App Events Widgets
The installs widget displays the total number of installs that were blocked by Protect360 during the specified date range from all various fraud blocking reasons.
The In-App Events widget displays the number of all the blocked in-app events, whether they are blocked because belonging to blocked installs, or due to being blocked as suspicious events.
Blocked Activity Table
The following data is displayed in Blocked Activity table per media source:
|Media Source||This is the default group-by option. We also support grouping by Campaign, Site ID, GEO, Channel or media source + site ID combination|
|Estimated Savings||The amount saved for the source based on blocked installs and average eCPI|
|Average eCPI||The average effective cost per installation: the total campaign cost divided by the amount of effective installations. Sources with N/A don't share cost data.|
|Clicks - Total||Total number of clicks from the source|
|Clicks - Blocked||Total number of blocked clicks from the source|
|Clicks - %||Percentage of blocked clicks out of the total # of clicks|
|Installs - Total||Total number of installs from the source|
|Installs - Blocked||Total number of blocked installs from the source|
|Installs %||Percentage of blocked installs from the total # of installs|
|Blocked Installs Breakdown DeviceRank||Total number of installs blocked due to C ranking of the installing devices|
|Blocked Installs Breakdown - Install Validation||Total number of installs blocked due to negative store validation|
|Blocked Installs Breakdown - SiteID Blacklist||Total number of installs blocked due to the SiteID appearing on the blacklist|
|Blocked Installs Breakdown - CTIT Anomalies||Total number of installs blocked due to Click Time to Install anomalies|
|Blocked Installs Breakdown - Bots||Total number of blocked installation attempts made by automatic Bots|
|Blocked Installs Breakdown - Click Flood||Total number of installs blocked due to Click Flooding|
|Blocked Installs Breakdown - Behavioral Anomalies||Total number of installs blocked due to behavioral anomalies|
|Blocked Installs Breakdown - Install Hijacking||Total number of installs blocked due to install hijacking based on the Google Play Server-Side API discrepancies|
|In-App Events - Total||The total number of in-app events|
|In-App Events - Blocked||The total number of blocked in-app events|
|In-App Events - %||The percentage of blocked in-app events|
Use the dropdown menus at the top of the Fraud Reports table to select one or more (multi-select) in-app events to view in the table:
If no events were blocked, the dropdown menu remains empty. The addition of each event adds the number of events blocked and the number of unique users with blocked events.
The amount of events shown is not LTV (as in the dashboard), rather the updated number of events up and until the date selected in the filter.
Advanced Detection Tab
The Advanced Detection section displays the following:
Two separate graphs are shown. From the dropdown menu, select the fraud type that you want to view. The appearance of the graphs changes in accordance with your selection. The options are:
- Install Fraud (Source Distribution Graph is displayed)
- Click Flood (CTIT Histrogram is displayed in hours, by default)
- Install Hijacking (CTIT Histogram is displayed in seconds, by default)
AppsFlyer can show data anomalies, based on the percentage of devices per source.
Y axis shows the absolute number of Media Sources, Publishers, Ad Sets or Channels.
X axis shows the percentage of selected class devices from the publisher.
For example, in the capture above, for about 25 site IDs 30-40 percent of their installs are new devices.
The Advanced Detection tab has a UI limit of up to 1000 entries. If you query for a large data set, some media sources might be excluded from it.
To overcome this limitation, we recommend the following:
- Query for a smaller dataset - smaller date range, specific apps, specific media sources
- Export Protect 360 raw data reports
- Export Protect 360 Aggregated Advanced Detection Reports through Pull API
CTIT (Click to install time) is an important measurement used to detect fraud.
Malwares detect installs being performed and send clicks to gain the 'last click' status and get the attribution for the installs. Short CTIT is a strong indication for this type of fraud.
Y axis shows the number of installs.
X axis shows the time lapsed in seconds (default), hours or days since the click.
Click to enter Validation Rules and set the rules for CTIT. For more details, click here.
The Aggregated Fraud Report
By default, the report displays all available columns. You can filter the report to show specific columns that illustrate particular fraudulent activities, as follows:
- All (default)
- Install Fraud
- Click Flood
- Install Hijacking
The following information is available in the Protect360 Report:
|Media Source||This is the default group-by option. We also support grouping by Campaign, Site ID, GEO, Channel or media source + site ID combination||All, Install Fraud, Click Flood and Install Hijacking|
|Installs||The total installs in the specified time frame||All, Install Fraud, Click Flood and Install Hijacking|
|New Device Installs / Rate||Installs coming from a device which AppsFlyer detected for the first time across all apps and accounts||All, Install Fraud|
|New Device Loyal User Rate||Percentage of Loyal users from new device installs||All, Install Fraud|
|LAT Installs / Rate||Installs from devices with Limit Ad Tracking (LAT) enabled||All, Install Fraud|
|LAT Installs Loyal User Rate||Percentage of Loyal users from LAT installs||All, Install Fraud|
|Suspicious Installs / Rate||Installs from devices with some activity which might indicate fraud (DeviceRank “B”)||All, Install Fraud|
|Suspicious Loyal User Rate||Percentage of Loyal users from suspicious installs||All, Install Fraud|
|Clean Installs / Rate||Installs from devices which appear to have legitimate activity (DeviceRank "A", "AA" and "AAA")||All, Install Fraud|
|Clean Installs Loyal User Rate||Percentage of Loyal users from clean installs||All, Install Fraud|
|Clicks||Number of clicks in the specified time frame||All, Click Flood|
|Conversion Rate||Number of installs / Number of clicks||All, Click Flood|
|Up to 5 minutes CTIT||Rate of installs occurring less than five minutes after the click||All, Click Flood|
|5 to 60 minutes CTIT||Rate of installs occurring between five to sixty minutes after the click||All, Click Flood|
|Over 60 minutes CTIT||Rate of installs occurring more than one hour after the click||All, Click Flood|
|Contribution Rate||Number of appearances as a contributor / Number of appearances as last attributed click - the higher the result, there is more suspicion of click flood, since the click can catch non-organic installs too.||All, Click Flood|
|Up to 10 seconds||Rate of installs occurring up to ten seconds after the click||All, Install Hijacking|
|10 to 30 seconds||Rate of installs occurring between ten to thirty seconds after the click||All, Install Hijacking|
|Over 30 seconds||Rate of installs occurring more than thirty seconds after the click||All, Install Hijacking|
Use the drop-down menus at the top of the Aggregated Fraud Report table to select one or more (multi-select) In-App Events to view in the table.
The addition of each event adds the ratio between the amount of events and the amount of installs.
The amount of events shown is not LTV (as in the dashboard), rather the updated amount of events up and until the date selected in the filter.
The Loyal User Rate columns allows you to view the quality of the users of each aggregation class.
* Data is available from 14 days prior to your Protect360 sign-up date
You can filter the information provided in the same way as in the AppsFlyer dashboard. For more details, see here.
To discover what can be done with the detection data, read the Best Practices for Detection of Mobile Fraud article.