Click Injection vs Click Flooding: Mobile Fraud

Click injection and click flooding are two of the most common attacks against mobile install attribution, but they work on opposite principles and need different detection. Injection is a precision hijack of one real install. Flooding is a volume gamble across millions of fake clicks. AppsFlyer’s State of Mobile Ad Fraud has consistently reported install-fraud exposure between 15-25% in unprotected campaigns. ^[1] Juniper Research estimates mobile ad fraud cost advertisers roughly $35 billion in 2023. ^[2]

This comparison shows what each attack does, which signal catches it, and why the same detector tuned for one will miss the other.

How do click injection and click flooding compare?

Mobile attribution fraud takes many forms, but click injection and click flooding are the two click-based attacks every UA team needs to recognize on sight. AppsFlyer’s fraud taxonomy classifies both under “attribution manipulation” and reports them as the most common click-based fraud patterns in unprotected Android inventory. ^[1]

Attack	What it is	How it works	Primary detection signal	Typical victim	Defense
Click injection	Precision hijack of one real install	Malicious app on device intercepts the install broadcast, fires a fake click 1-2 seconds before install completes, wins last-click attribution	CTIT under 2 seconds plus mismatched install-referrer signature	UA teams running on networks with weak install-referrer validation	Play Install Referrer API v2 with signed broadcast; short-CTIT cutoff at MMP
Click flooding (a.k.a. click spamming)	High-volume gamble across organic installs	Fraudster fires millions of fake clicks across many device IDs, hoping to win last-click attribution on organic installs that happen to follow	Click-to-install ratio anomalies (10,000:1+) and long-tail CTIT distribution (hours, not minutes)	Brand-search and organic-heavy apps; affiliate-paid CPI campaigns	Source-level rate limiting; CTIT-distribution analysis; cross-MMP reconciliation

This single table is what most teams come here for. The rest of the article explains why each cell in that table is true, why injection and flooding need separate detectors, and how to wire both into a defense stack.

mobile install fraud

Click injection — the precision attack

Click injection is a targeted attack on a single real install. A malicious app already installed on the victim’s device listens for Android’s INSTALL_REFERRER (or newer install-completion) broadcast and, in the milliseconds before the new app finishes installing, fires a fake click attributed to the fraudster’s network or affiliate ID. Adjust’s mobile fraud research first formalized this attack pattern in 2017 and documented short-CTIT signatures as the primary detection signal. ^[3]

How click injection works mechanically

The attack chain on Android:

1. Victim has a malicious or compromised app installed (often a free utility, flashlight, battery saver, or repackaged game).
2. The victim independently triggers an install of some other app — from the Play Store, an ad click on another network, or any source.
3. Android’s package manager broadcasts com.android.vending.INSTALL_REFERRER (or the newer signed equivalent) as installation begins.
4. The malicious app, which has registered to receive this broadcast, fires a fake click via the fraudster’s tracking link 1-2 seconds before the new app finishes installing.
5. The MMP records the fraudster’s click as the last click before install. Attribution is hijacked.

The fraudster gets paid for an install they did nothing to cause. The legitimate ad network that actually drove the install (or the organic channel) loses the credit.

Why CTIT under 2 seconds is the giveaway

Legitimate mobile installs almost never complete in under 2 seconds. AppsFlyer’s CTIT distribution data shows that the natural peak for paid-install CTIT sits in the 2-5 minute range, with the lower bound rarely dropping below 30 seconds on real installs. ^[1] A click landing 1.4 seconds before install completes is physically impossible for a human-driven install flow: it takes longer than that just to download a modest APK.

In Adsafee-protected Android UA campaigns we routinely observe a sharp bimodal CTIT distribution before defense is enabled: a “real” mode at 90 seconds to 8 minutes, and an injection mode crowded under 2 seconds, almost always concentrated on a small number of repeat publisher IDs. Once short-CTIT blocking is wired in, the injection mode collapses to near zero within the first 48 hours.

Defense against click injection

Three layers, applied together:

1. Google Play Install Referrer API v2 with the signed install broadcast. This gives the receiving app a cryptographically signed timestamp of when the genuine referrer was set, distinguishing the real attribution from an injected late click. ^[4]
2. Strict CTIT cutoff at the MMP. Every major MMP (AppsFlyer, Adjust, Branch, Kochava, Singular) exposes a short-CTIT alert. Set the threshold to 2-3 seconds and reject attribution below that line.
3. Independent fraud layer for cross-source correlation. If the same publisher ID generates many short-CTIT installs across campaigns, that publisher is running injection, not just an unlucky single install.

SDK spoofing detection

Click flooding — the volume attack

Click flooding (also called click spamming) is the opposite strategy. Instead of one precision hijack, the fraudster fires millions of fake clicks across as many device IDs as they can generate, knowing most clicks will never produce an install. The bet is that some of those device IDs will independently install the target app organically, and last-click attribution will award the install to the fraudster. AppsFlyer has reported click flooding as one of the highest-volume click-fraud patterns in mobile install inventory. ^[1]

How click flooding works mechanically

1. Fraudster acquires a list of device identifiers (IDFA, GAID, Android ID) at scale, often from data breaches, SDK leakage, or paid lists.
2. Fraudster fires high-volume click traffic against the target app’s tracking link, attributing each click to a device ID in the list.
3. Most clicks expire without an install. That’s expected.
4. When any device on the list installs the target app organically, the MMP’s last-click attribution model awards the install to the fraudster’s source ID.
5. The fraudster collects CPI payout for an install they had nothing to do with.

The economics are brutal but viable: at $2-4 CPI for premium apps, even a 0.01% “conversion” rate on flood clicks is profitable if click cost is essentially zero.

Why click flooding produces a long, flat CTIT tail

Because the flooded click is fired blind — before the user has any intent to install — the gap between click and install is whatever the user’s actual intent path looks like. That path is hours or days long, not minutes. The CTIT distribution for a flooded source flattens into a long tail across the entire 24-hour attribution window, with no natural peak at 2-5 minutes.

Two anomalies surface in MMP dashboards:

• Click-to-install ratio: legitimate paid sources convert clicks to installs at roughly 1-10% on Android premium inventory. Flooding sources show ratios of 10,000:1 or worse: millions of clicks, dozens of installs. AppsFlyer’s fraud taxonomy flags non-converting source ratios as a primary click-spam indicator. ^[1]
• CTIT distribution shape: instead of the natural 2-5 minute peak, a flooded source shows a flat or near-uniform distribution stretching from minutes to the 24-hour attribution boundary. The shape is the signature, not the median.

Most mobile-attribution tutorials describe click flooding as “a lot of fake clicks.” The more useful framing for detection: click flooding is gambling on organic attribution. The flood doesn’t try to fake installs. It tries to steal credit for installs that would have happened anyway. That reframes defense: you’re not trying to catch fake installs, you’re trying to catch fake attribution on real installs. The signals are completely different from injection.

Defense against click flooding

1. Source-level rate limiting. If a publisher ID sends 5 million clicks and produces 200 installs, the click-to-install ratio is the alert. Most MMPs expose ratio thresholds per source.
2. CTIT-distribution analysis, not just median CTIT. A long median is also normal for some legitimate sources (deferred-deeplink retargeting, for example). The shape of the distribution is what discriminates flooding from legitimate long-tail.
3. Cross-MMP and backend reconciliation. If the MMP credits an install to source X but the same user has never seen source X in your own first-party logs, that’s a flooded attribution. Cross-checking MMP-reported sources against your own click-collection logs catches what single-MMP analysis misses.
4. Limited-attribution windows on suspect sources. Drop attribution windows from 7 days to 24 hours on sources with anomalous distributions. Flooded sources lose most of their wins.

affiliate fraud patterns

Why don’t the same defenses catch both attacks?

This is the key insight most mobile-fraud writeups miss. The two attacks live on opposite ends of the CTIT distribution. Injection clusters under 2 seconds. Flooding flattens out across hours. A detector tuned for one cannot catch the other.

The CTIT spectrum

CTIT distribution shape (schematic):

  count
   ^
   |     INJECTION                                          FLOODING
   |       |                                                  |
   |       |     LEGITIMATE PAID INSTALLS                     |
   |       |     (peak at 2-5 minutes)                        |
   |       |          /\                                      |
   |       |         /  \                                     |
   |       |        /    \                                    |
   |       |       /      \____                               |
   |       |      /            \___                           |
   |       *_____/                 \________________  ........|.....
   |       0s    30s   2min   5min   30min   2hr     12hr   24hr
   +------------------------------------------------------------> CTIT
            |                                                  |
            ^                                                  ^
       INJECTION SPIKE                                  FLOODING LONG TAIL
       (under 2 seconds)                            (uniform spread, hours)

A short-CTIT filter set at “anything under 10 seconds is fraud” catches the injection spike on the left but is blind to the flooding tail on the right. A long-CTIT filter or volume-ratio rule catches the flooding tail but ignores the injection spike. They must run as independent rules, not a single threshold.

On Adsafee deployments, the most common misconfiguration we see in incoming UA stacks is exactly this: a single CTIT rule tuned for one of the two attacks, with the other attack going completely undetected. Teams will say “we have CTIT-based fraud detection” and mean “we filter sub-2-second installs,” then watch their organic-attribution share collapse over the following quarter as a flooding source quietly drains their attributable installs.

The detection matrix

Defense rule	Catches injection	Catches flooding
Short-CTIT cutoff (under 2-3 sec)	Yes	No
Long-CTIT-only filter	No	Partial
Click-to-install ratio threshold	No	Yes
CTIT-distribution shape analysis	Partial	Yes
Install Referrer API v2 signature check	Yes	No
Cross-MMP / backend reconciliation	Partial	Yes
Source-level rate limiting	No	Yes

The matrix is the architecture spec. A defense stack needs at least one “Yes” in each column.

ad fraud taxonomy

What does a layered detection pattern look like?

The complete defense for mobile install attribution combines four independent layers running in parallel. Each layer catches a different attack family. None of them alone is sufficient.

Layer 1: install referrer validation (catches injection)

Enable Play Install Referrer API v2 with signed broadcast on Android. Reject attributions where the signed referrer timestamp differs by more than a few seconds from the click timestamp claimed by the network. This is the cheapest, most decisive single defense against click injection, and Google’s documentation specifies the integration pattern. ^[4]

Layer 2: CTIT thresholding (catches injection edges)

At the MMP, set a short-CTIT cutoff at 2-3 seconds. Every reputable MMP — AppsFlyer, Adjust, Branch, Kochava, Singular — exposes this rule. Investigate any source that fires installs below the threshold for more than 0.1% of its attributed installs. ^[5]

Layer 3: source-level ratio and distribution analysis (catches flooding)

Track click-to-install ratio per publisher ID. Any source above 1,000:1 with material click volume gets paused for review. Track CTIT distribution shape per source weekly. Flat distributions across the attribution window indicate flooding. Cross-reference against benchmark shapes from organic and proven-legitimate paid sources.

Layer 4: cross-source reconciliation (catches both, plus other fraud)

The MMP sees what it’s told. Your backend sees what actually happened. Reconcile MMP-attributed installs against first-party click logs daily. Discrepancies surface flooding (clicks the MMP credits that your logs never saw a user respond to) and other attribution manipulation. Above $50k/month UA spend, add an independent fraud-detection layer that runs cross-source correlation natively. ^[1]

Where Adsafee fits

Adsafee runs an independent fraud-detection layer that complements your existing MMP. We score every click and install event against technical, behavioral, and network signals, return verdicts under 100ms, and surface short-CTIT and long-tail flooding patterns in the same dashboard so the same operator can act on both. We integrate via S2S postback with major MMPs and trackers, and we publish per-source signal breakdowns rather than aggregate scores, so dispute and pause decisions are auditable.

If you’re running paid mobile UA above $20k/month on Android and don’t yet have an independent layer above your MMP, start a free trial — first setup takes about 15 minutes against AppsFlyer, Adjust, or Branch.

app-ads.txt for mobile

Frequently asked questions

What is the difference between click injection and click flooding?

Click injection is a precision hijack: a malicious app on the victim’s device fires a fake click in the final seconds before a real install completes, stealing attribution for that one install. Click flooding is a volume attack: fraudsters fire millions of clicks across device-ID lists, betting that some devices will install organically and last-click attribution will award the credit. Injection lives at short CTIT (under 2 seconds); flooding lives in the long CTIT tail (hours).

What is CTIT and why does it matter?

CTIT (Click-to-Install Time) is the elapsed time between an attributed click and the resulting install. AppsFlyer’s data shows legitimate paid installs cluster around a 2-5 minute peak. CTIT below 2 seconds is the click-injection signature. A flat distribution across 24 hours with no peak is the flooding signature. CTIT is the single most useful signal for distinguishing both attacks from legitimate attribution.

Can one rule catch both attacks?

No. The two attacks sit at opposite ends of the CTIT distribution and the click-volume ratio. A short-CTIT rule catches injection but misses flooding entirely. A ratio or distribution-shape rule catches flooding but ignores injection. Layered detection with both rules running independently is required.

How big is the mobile install fraud problem?

AppsFlyer has reported install-fraud exposure between 15-25% of non-organic installs in unprotected campaigns. Juniper Research estimates mobile ad fraud cost advertisers approximately $35 billion in 2023. Click injection and click flooding together account for a large share of attributed-install fraud, with flooding generally higher by volume and injection delivering higher per-attack payout.

---

Sources

1. AppsFlyer, “State of Mobile Ad Fraud” reports — install-fraud exposure 15-25% in unprotected campaigns; CTIT distribution data and fraud taxonomy including click flooding and click injection. appsflyer.com/resources/reports/mobile-ad-fraud ↩

2. Juniper Research, “Future Digital Advertising: AI, Ad Fraud & Ad Spend 2023-2028” — mobile ad fraud estimated $35B in 2023, total ad fraud projected $172B by 2028. ↩

3. Adjust, “Click injection: how it works and how to detect it” — original 2017 formalization of the attack and short-CTIT detection signature. adjust.com ↩

4. Google Play Console documentation, “Play Install Referrer API” — signed install broadcast for verifying attribution timestamps on Android. developer.android.com/google/play/installreferrer ↩

5. IAB Tech Lab, “Mobile App Advertising Identifier and Measurement Guidelines” — mobile attribution validation standards and CTIT-based fraud signals. iabtechlab.com ↩