List of Singular Fraud Protection Methods

These are the preconfigured fraud protection methods that Singular offers in order to protect you from different types of ad fraud. You can enable or disable each method separately.

Screen_Shot_2022-03-02_at_13.08.43.png

Fake Installs Protection Methods

Android Install Validation

To tackle install fraud on Android, Singular has developed Android Install Validation - a proprietary, deterministic method of evaluating an install and making sure it is legitimate. Android Install Validation detects and prevents all known forms of fake install attacks at a significantly higher level of accuracy than any tools developed previously.

What is install fraud?

While other types of attribution fraud rely on stealing the credit for legitimate app installs, install fraud is based on the creation of fake installs and fake users for the purpose of getting the installs attributed.

Install fraud appears in a variety of forms:

  • Device farms: Fraudsters get a large number of devices, use them to click on tracking links and install apps, then open the apps and delete them. The fraudsters reset each device’s Android Advertising ID (or IDFA, on iOS) before the next use.
  • Emulators and bots: As a technological step up from device farms, emulators and bots are used to simulate having a lot of devices and a lot of people who click on tracking links and install apps.
  • SDK Spoofing: Instead of actually installing an app, the fraudsters fake the MMP’s SDK traffic to send fake install reports.
  • Malware: Malicious apps install legitimate apps on users’ devices without the users’ knowledge or permission.

Fraud Prevention providers have mostly been using various statistical methods to detect install fraud, but these methods have weaknesses, and fraudsters have found ways to work around them and avoid detection.

How does Singular protect me from install fraud?

To tackle install fraud, Singular has developed Android Install Validation - a new, deterministic method of evaluating an install and making sure it is legitimate. Android Install Validation detects and prevents all known forms of fake install attacks at a significantly higher level of accuracy than any tools developed previously.

While the Google Play Store doesn’t provide install receipts like the Apple App Store's, there are signals that the Play Store provides and Singular collects in order to make sure that the app was installed from the Play Store by a real Play Store user.

Singular also makes sure the same user isn’t responsible for a large number of installs.

Notes:

  • Android Install Validation works only on installs coming from the Google Play Store (as most Android app installs do).
  • This method requires integrating the Singular SDK version 7.4.1 or above.
  • By Adding Your Google Play Licensing Key, Singular can verify install receipts cryptographically.
How do I use Android Install Validation?

To avoid triggering Android Install Validation, fraudsters may try to have their app report that it was not installed from the Play Store and/or that the SDK version is older.

We recommend adding custom (user-defined) rules in order to:

1. Detect non-Play Store installs

Detect installations outside of the Play Store for campaigns and sources that should point only at the Play Store.

Rule example:

Screen_Shot_2019-08-22_at_20.17.54.png

2. Detect installs by outdated SDK versions

Once you update the app’s SDK, there aren’t supposed to be any new installs of the app with an older SDK.

Rule example (make sure to specify the right SDK version for your app!):

Screen_Shot_2019-08-22_at_20.19.08.png

To learn how to create rules, see Configuring User-Defined Fraud Rules.

iOS Install Receipt Validation

Apple provides a receipt for each app installed on an iOS device through iTunes. The receipt can be used to verify that the app has been installed by a real user on a real device. Receipt verification is a multi-step process:

  1. Making sure that a receipt exists.
  2. Verifying the authenticity of the receipt by checking Apple’s digital signature.
  3. Validating the receipt by matching the receipt’s details to the current installation (for example comparing the app’s longname).
  4. Ensuring that the receipt hasn’t been used for another install (so that fraudsters wouldn’t re-use the same receipt on multiple installations/devices).

Note: Singular performs receipt validation only on devices with iOS 7.0 or higher and only when the app includes a Singular SDK of version 8.2 or higher.

Attribution Manipulation Protection Methods

Android Click Injection Protection

In click injection, the fraudster detects an app install by a real user and creates a fake click (or impression) in order to hijack the install attribution.

To protect against click injection, Singular’s new detection method uses Google Play Referrer values and timestamps to identify impressions and clicks that occur after users were directed to the Play Store or initialized an install.

What is click injection?

In click injection, the fraudster monitors a real user’s device for app installs - usually through a malicious app that has been installed on the device. When the user installs a new app, the malicious app creates a fake click (or impression) in order to hijack the app install attribution.

How does Singular detect click injection?

Singular uses Google Play Referrer values and timestamps to detect impressions and clicks that occur after users were directed to the Play Store or initialized an install.

These fake impressions and clicks can then be rejected.

Android Organic Poaching Protection

In Organic Poaching, a fraudster claims credit for an app install that is, in fact, organic and should not be attributed to any source.

Singular’s new protection method detects signals from the Google Play Store that an app install is organic (not associated with any ad clicks). Any clicks associated with this install can then be identified as an organic poaching attempt.

What is organic poaching?

In Organic Poaching, a fraudster claims credit for an app install that is in fact organic and should not be attributed to any source. This fraud can be achieved through either click spamming or click injection.

Organic poaching is costly for advertisers as it makes them pay for users who have in fact converted organically.

How does Singular detect organic poaching?

Singular’s Organic Poaching Protection method detects signals from the Google Play Store that an app install is organic (not associated with any ad clicks). Any clicks associated with this install can then be identified as an organic poaching attempt.

Note: This protection method may trigger high percentages if a network sends impressions instead of clicks. Customers can prevent this by using custom rules to apply Organic Poaching prevention only to relevant sources (see Configuring User-Defined Fraud Rules).

Time-to-Install (TTI) Outliers Detection

“Click injection” attacks involve detecting an installation and firing a fake click. They can often be detected by looking at the Time-to-Install (TTI) - the time between the click and the install. The click is fired right as the app finished installing, so it often results in an abnormally short TTI.

Geo-Bleed Detection

Singular detects a distance between the click location and the install location that was impossible for a real end-user to travel in the time that passed between the click and the install. For example, if an end-user clicks an ad, and two hours later there is an install event from 10,000 km away, this is probably a fraudulent install.

Hyper-Engagement

Attacks such as click spamming and click injections create an influx of clicks from the same source. Singular detects the suspicious activity and can reject clicks coming from the same source.

General Protection Methods

Blacklisted IPs

Singular detects touchpoints coming from known suspicious IP ranges, which include:

  • Cloud Service Providers and Data Centers
  • Proxy and IP anonymization services
  • TOR exit points
  • High-risk IPs: IPs that have been spotted doing fraudulent or other abusive activity on the internet.

Singular maintains a regularly updated list of these IP ranges.

Was this article helpful?