Click injection rarely shows up as a line item in an MMP dashboard. It hides in your Android install referrer data, sitting between an app launch and the broadcast that says which click last touched the device. By the time the install is attributed, a fraud SDK has already won the race.
Across Android-heavy audits, a recurring pattern shows up: a non-trivial share of paid installs concentrated in a sub-1-second click-to-install bucket. The headline lag looks great. The reality is that the lag is fake. A malicious app on the device listened for the install broadcast, fired its own click in the milliseconds before the broadcast resolved, and took attribution credit away from the actual source.
The good news: click injection is one of the most diagnosable fraud types. Android's install referrer architecture leaves a clear forensic trail. The signals are public, the remediations work, and the controls are documented.
The bad news: every MMP claims to handle it, but the gap between "we filter it" and "we expose the filter so you can verify" is wide. This post walks through the mechanic, the signals to look for in your own data, the queries to run, and the controls that actually block it.
What Is Click Injection?
Click injection is a mobile attribution fraud method in which a malicious app on an Android device fires a fake click immediately before an install completes, stealing attribution credit from the real source of the install.
The mechanic on Android:
-
A user installs an app from the Play Store.
-
Android broadcasts INSTALL_PACKAGE_REPLACED (or, on older patterns, INSTALL_REFERRER) when the install completes.
-
A fraudulent app on the device, with a broadcast listener registered, hears this broadcast.
-
The fraud SDK fires a click event to an ad network in the milliseconds before Android resolves attribution.
-
The MMP sees the fake click as the most recent touch and credits the fraud sub-publisher.
Why iOS is largely insulated: iOS does not use a broadcast-based install referrer. The system attribution flow goes through SKAdNetwork or signed SAN postbacks. There is no analogous race condition for a third-party app to exploit at install time.
How Click Injection Actually Steals Credit
The window matters. Android's install completion broadcast typically resolves within a few hundred milliseconds. That is enough time for a listening SDK to fire a click, sign it with a known ad network identifier, and submit it to a tracking endpoint before the legitimate click is recorded as the last touch.
Three behaviours show up in the fraud SDK code:
-
Broadcast listener registration on package install events. This is the canonical entry point. The listener fires on every install across the device.
-
Click signing with a plausible network and sub-publisher. Fraudulent SDKs piggyback on real networks, often through unverified sub-publisher chains.
-
Per-device frequency throttling. Sophisticated injection rotates which apps it targets so the pattern does not concentrate on a single bundle ID and trip simple anomaly checks.
The economics are simple: cents per stolen install, but at scale and across multiple advertisers, that compounds into lakhs of rupees per month moved from real channels to fraud sub-publishers.
The Signals That Show Click Injection in Your Data
The most reliable signals to look for:
-
Sub-1-second click-to-install lag concentrated on specific networks or sub-publishers. A healthy click-to-install lag on Android sits in the seconds, not sub-second. Across roughly 65k matched click-install pairs across around 80 Linkrunner projects in the last five to six weeks, the Android median click-to-install lag was around 15 seconds. Anything materially below the floor on a specific sub-publisher is a signal worth investigating.
-
Suspicious referrer values from non-attributed channels appearing on installs attributed to paid networks.
-
Concentration of installs to a small set of device fingerprints (model, OS version, screen size combos).
-
Disproportionate Android non-organic share vs iOS non-organic share for the same campaigns. Injection compresses Android organic and inflates Android non-organic.
-
Install-to-revenue gap by sub-publisher. Injected installs rarely convert. A sub-publisher with high install volume and near-zero revenue or D7 retention is suspect.
The injection signal often overlaps with the paid-organic cannibalisation pattern, and the two should be diagnosed together: injection eats organic and inflates paid; the symptom looks similar in the dashboard.
Detection Queries You Can Run Today
Three concrete cuts that surface injection without needing a fraud vendor:
-
Click-to-install lag percentiles by network. Pull P5, P10, P50 on click-to-install seconds for the last 30 days, grouped by ad network and sub-publisher. Sub-publishers with P5 below 1 second and P50 well below the Android baseline are flagged for review.
-
Outlier sub-publisher LTV. For sub-publishers above a meaningful install threshold (say 1k installs in 30 days), compute revenue per install and D7 retention. Outliers on the low end concentrate fraud.
-
Cross-platform organic share check. Plot Android organic share vs iOS organic share over time for the same product. A sustained, unexplained drop in Android organic share alongside flat iOS organic is consistent with injection eating organic credit.
These three are the starting point. The attribution discrepancy diagnostic covers the broader workflow when injection is one of several causes a team is sorting through.
The Controls That Actually Block Injection
Ranked by effectiveness:
-
Google Play Install Referrer API (v2 or newer). This is the canonical, signed, race-condition-free source. The API returns a server-signed referrer payload that fraud SDKs cannot forge. If your SDK is still relying on the BROADCAST_INSTALL_REFERRER intent, switch.
-
SDK-level installer detection. Verify the INSTALLER_PACKAGE name on first launch and treat installs from anything other than the Play Store as a different attribution class (sideloads, OEM stores, etc.).
-
MMP-side fraud filters. Sub-1-second click bucket filtering, P5 lag thresholds, sub-publisher anomaly scoring. The important question to ask your MMP: do they expose the pre-filter and post-filter install counts so you can verify the filter is doing something?
-
Meta Install Referrer specifically for Meta-attributed installs. Meta's signed install referrer is the canonical defence against injection on Meta paid traffic on Android. Linkrunner supports Meta Install Referrer as a first-class signal; if your MMP does not surface it, that is a gap.
A note on AI-based detection: machine-learning fraud detection layers sit on top of the four controls above. They are useful for sophisticated fraud that evades the static rules, but the static rules close the majority of click injection cases on their own.
What to Do When Injection Is Confirmed
The sequence:
-
Pull the affected install set with full sub-publisher, click ID, click timestamp, install timestamp, and post-install behaviour fields. This is the evidence packet.
-
Dispute with the ad network partner. Most networks have a fraud dispute flow. The packet should include the sub-publisher ID, the install volume, the click-to-install lag percentile breakdown, and the post-install LTV gap. Keep the framing factual, not accusatory.
-
Blocklist the sub-publisher inside the MMP and the ad network. Recheck monthly: blocked sub-publishers often rotate identifiers.
-
Escalate to the platform (Google Play Store, MMP vendor) if a specific sub-publisher recurs across multiple advertisers in your network. Coordinated blocklisting is more effective than per-advertiser work.
-
Reallocate the recovered spend to organic credit attribution or other paid channels. The hidden cost of inaccurate attribution compounds quickly if the rebalancing step is skipped.
FAQ
Q: What is the difference between click injection and click flooding?
Click injection waits for an install broadcast and fires a fake click in the milliseconds before attribution resolves. Click flooding fires high volumes of fake clicks ahead of time, hoping one of them lands inside the attribution window of a real install. Injection is more precise; flooding is more brute force.
Q: Can click injection affect iOS attribution?
Largely no. iOS does not use a broadcast-based install referrer, and SKAdNetwork postbacks are signed by Apple, so there is no equivalent race condition. iOS has its own fraud surface (click flooding, fingerprint farms), but injection specifically is an Android problem.
Q: What is the Google Play Install Referrer API and how does it help?
The Play Install Referrer API returns a server-signed install referrer payload that a third-party SDK on the device cannot forge. Using it as the source of truth for install attribution eliminates the broadcast race that injection exploits.
Q: Does my MMP automatically block click injection?
Most MMPs run some form of sub-second click filter. The right question is whether your MMP exposes the pre-filter and post-filter install counts, so you can verify the filter is working and quantify the fraud being caught. If the dashboard only shows post-filter counts, you have no way to audit.
Q: How do I dispute injected installs with an ad network?
Pull the affected install set with click ID, sub-publisher ID, click and install timestamps, and post-install LTV. Submit through the network's fraud dispute flow with a clear summary of the click-to-install lag distribution and the LTV gap. Most networks process disputes within 30 to 60 days.
Closing
Click injection is solvable. The Google Play Install Referrer API closes the race condition. SDK installer detection covers sideload-based variants. MMP-side filters catch the residual. Meta Install Referrer covers Meta paid traffic specifically. The work is mostly in detection: building the right dashboard cuts and running them weekly, then disputing what you find with the network partner.
If you want to see how an MMP that exposes Meta Install Referrer, sub-publisher lag distributions, and pre-filter / post-filter install counts handles this end to end, request a demo from Linkrunner. Or pull the last 30 days of attributed installs in your current setup and look at the P5 click-to-install lag by sub-publisher. If a meaningful share sits below one second, you have the start of the evidence packet.