App Install Farms
TrafficGuard Support avatar
Written by TrafficGuard Support
Updated over a week ago

App Install Farms use banks of physical devices to actually click on ads, download apps to devices, and then open them to trigger install events.

The device ID is sometimes reset between app installs, making each install from the same device look like it is a new user.

This tactic makes clicks look like real clicks on real devices because they are, BUT... the users aren't real so there is no real engagement and no ROI for the advertiser.

AKA: Device ID Reset Fraud

Objective: Generate a fake install.

Indicator: High volume of clicks or installs from a single location

A defining characteristic of App Install Farms is the high number of actual devices generating installs from one location. For this reason, some less sophisticated App Install Farms can be detected by high volumes of installs from single IP addresses. As a result, blocking IP addresses is a common method of mitigating this type of traffic after it has been detected.

More sophisticated App Install Farms reroute traffic through anonymous proxies, VPNs or TOR exit nodes. This enables them to distribute traffic over multiple IP addresses to avoid detection. It also serves to disguise traffic origins so that their installs appear to originate from countries that attract higher payouts. These types of App Install Farms can be more difficult to detect - especially from the view-point of a single campaign.

TrafficGuard analyses install and post-install activity from 1000s of campaigns every minute. This broader perspective and abundance of data gives TrafficGuard the ability to identify patterns that would not be visible at an individual campaign level. Close analysis of how sources of traffic behave after the install event, often point to installs resulting from this tactic.

For example, high volumes of traffic from a single source that have limited engagement with the app, fast uninstall or high-uninstall rates all represent behaviours that require further investigation.

Did this answer your question?