Getting lots of clicks on your mobile app ads? But have you checked for click spam?

Click spamming malware has been a growing problem in recent years, with a number of campaigns uncovered. This form of click fraud, which mostly affects mobile app ads, can be extremely costly for advertisers and can even fly under the radar for a long time, seemingly undetected by the ad platforms.

So how does click spamming affect you? What is click spam? And how can you stop it?

What is click spam?

Click spam, also known as click flooding, is a type of click fraud. Apps or mobile websites use inbuilt malware to flood ads or download links with automatically generated clicks. These clicks often hijack genuine user behaviour, and can work while an app is running in the background.

There are several forms of click spam, including:

  • Click flooding – which is multiple clicks generated for every single click on ads
  • Organics poaching – designed to claim the credit for eventual organic app installs or downloads
  • Fake impressions or views – where an app generates views on videos without the users’ knowledge or displays multiple display ads in hidden frames

As well as paying out to fraudsters who haven’t earned the referral genuinely, it also distorts marketers’ data. Advertisers might see the clicks and referrals as positive when in fact, they are almost entirely fraudulent.

How does click spam work?

Very simply, the user downloads an app, which can be anything from a utility app, such as a calculator or torch app, to a game or other tempting download. The app itself has features built-in that conduct activity in the background on behalf of the user. This can include clicking on ads in the app or converting impressions (views) on ads in the app into clicks.

Click spam can also be done in the form of install spoofing or fake downloads on apps. This is the practice known as organics poaching.

How does this work?

  • The user downloads an infected app to their device
  • This app has code built in which creates many clicks (spam clicking) normally on ads or allows an external device to click within the app
  • All ad clicks are assigned to the developer or click spammer, and if there is an unrelated download from the app store or if there is an in-app purchase or ad click, the developer gets the payout
  • Besides defrauding marketers of their ad spend, click spam also distorts click data, often making certain platforms look much more effective than they are

When downloading an app that runs in the background, this could mean that an app is able to click spam ads almost constantly. For the user, this can mean a depleted battery, such as with the DrainerBot malware.

But for the advertiser, it can mean that you see a lot of activity on your display ads but without the corresponding conversions. To make matters worse, any conversions that are made may not be attributed correctly, and chances are there will be a high amount of spoofed clicks before there is any conversion.

Click spamming vs. botnets

Click spam differs from botnet activity in that the app generates a huge volume of click spam itself. By comparison, botnets leverage the power of multiple devices to generate fake traffic to ads or links.

The source of the fake clicks is the app itself, which can leverage genuine human activity to generate masses of clicks. Although you might assume that click spamming malware is the fault of the app developer, the truth is it’s more complex than this.

SDKs, or software development kits, form the basis of most apps on the app stores. In recent years, several SDKs have been found to contain malware elements that fraudulently engage with ads.

Read more about how SDK’s and malware are a problem for marketers.

These apps tend to be in the Google Play store and can also affect Google Ads and Facebook display ads. Apple’s app store isn’t immune to malware, though, with multiple campaigns uncovered in recent years, including the SourMint affecting thousands of apps.

Click spam isn’t limited to apps, though, with mobile landing pages and web pages also capable of generating ad-clicking activity and impressions on behalf of visitors.  

Spotting organics poaching on your ads

As an advertiser, an obvious giveaway that you’ve been a victim of click spam is always going to be higher traffic with fewer conversions. This applies to pretty much all forms of click fraud or ad fraud. However, it can be harder to spot organics poaching or click flooding.  

The reason for this is that with an authentic device ID, it can look like a genuine session by a real live user. But usually, there are some giveaways that can be used to identify spam clicks on your ads.

Check your analytics for the time between clicks and conversions. Usually, organics poaching will claim a conversion that took place sometime after the original click.

Make sure that apps have been validated by the ad networks, which is often a good indicator that the apps in question are genuine. Bear in mind, though, that on Google’s Play store, you do not have to validate your app (and it can take some time for apps to be validated). App developers can sometimes be somewhat secretive with their coding, so just because an app isn’t validated doesn’t necessarily mean it’s fraudulent.

However, what you can do is look at the analytics around specific app publishers. If you have a smaller app developer who seems to be delivering high traffic, dig into the stats a little to see what you can find. 

Click spam or click spoofing may show a high volume of traffic but a relatively low amount of conversions. 

How to stop click spam

As a form of ad fraud, click spam can be prevented using anti-click fraud software. ClickCease uses sophisticated algorithms to decode fraudulent activity and help you understand what is really happening with your PPC ads and conversions.

By blocking blacklisted sources of bad ad traffic, you’re already ahead of advertisers who don’t protect their ads.

Yes, you can explore your click traffic manually, of course. And yes, it does take quite a bit of time, analysis, and guesswork.

Using ClickCease is a time and cost-effective way to spot fake clicks and invalid traffic. By setting an ad click threshold with ClickCease, you can block multiple clicks from the same source within a set time period, which is usually how click spam works.

ClickCease also blocks traffic from VPNs, bots, and web crawlers in real-time.

Best of all, you can try it out for free to find out exactly how much fraudulent traffic your ads get. If you’re paying for ads on Google, Facebook, or Bing, ClickCease will make a big difference to your ad performance.