While I have seen several companies attempt to use fingerprinting based on the IP + User Agent combination , I have not been able to use it as a significant fraud detection tool in our data. It is clear that the combination helps to make a click unique, but IP addresses and user agents can be easily spoofed. Don't leave it out of your analysis if it does indicate fraud to you!
The user agent is becoming less unique due to the standardization of devices running the software. The diversity of Apple devices is a lot less than Google devices anyway. So it is more common for Apple devices to generate traffic from the same IP + User Agent combination. Here is some good information on this topic.
2. Device
From the device perspective, there is a lot to say about click traffic. Just analyzing the share per operating system and model (or version) generates useful insights. For example, we found the AndyWin Emulator model . Clearly intended to imitate a device and install an app from a desktop on a larger scale.
Another clear factor I found with Android devices is that fraudsters want to mask the use of a certain model. This is reflected in the widespread use of nearly unique models and the use of the same model across multiple campaigns. A closer look at the OS version also showed that these were being spoofed per device model. In the market, users are staying on older versions longer, but compare these numbers to the country statistics to double check. For Apple devices, it is difficult to track, as they are mainly referred to as iPhone and iPad.
Below you can see a graph showing an abnormal distribution per device model per country per campaign per affiliate on Android campaigns. Almost the same number of models were used for similar campaigns to fake installs in multiple countries. The affiliate marked in blue shows healthy traffic.
Installs as % of total per model per country for four different affiliates running similar campaigns.
Compare the shares per model with the averages per country to get an impression of large deviations. Bots are designed to show uniqueness of the device model, this results in a large variety and a flat curve. In the example above, the shares per model are too perfectly aligned across the affiliates and the country of the campaign and deviate a lot from the averages per country.
3. Time to Install (TTI)
Much has been said and written about the TTI: to the install and opening of the app. It is one of the most important metrics to identify suspicious traffic that is generated too soon or too late after the click. It is also possible to link it to the app ID to filter out the size of the download. In combination with the average internet speed per country , we are able to point out statistical outliers. A simple example of a TTI analysis could look like the graph below.
Example of a time to install analysis, with emphasis on (suspiciously) fast installs.
Although the TTI is an important factor in hong kong phone numbers identifying fraud, it does not immediately detect install fraud. Other articles often state that this would not be possible on Apple devices, but I also find this fraud here. I hope that Apple is already aware of this and that they help to fight this battle against abuse, this can be done with bots. But so far we cannot assume that Apple devices are free of fraudsters. A deviating TTI leads to further analysis for fraud detection.
4. Objectives
To identify install fraud by app install factories and bots, we need to take a closer look at in-app activity. Malicious companies that use real people to get paid for installs will limit themselves to downloading and installing an app. They will not be active in the app itself.
It is easy to set goals regarding in-app activity. Think of reaching certain levels in a game or the number of logins per week. If bots are used to automate in-app activity, this will show an almost 'perfectly stable' pattern and will differ from other affiliates without these bots.
I would explicitly recommend advertisers to set cxearlier in the process. Via a second postback, a pixel is fired by the advertiser's server when a certain goal is reached.