A traffic source can look like one of your best performers and still be taking credit for something it never earned. It reports a healthy volume of installs at a low cost per install, and the users behind them hold up: they open the app, some stick around, some convert.
That is what makes click injection hard to catch. The installs are real people who genuinely wanted the app. They simply found it on their own, or through another channel, and a fraudulent source slipped in at the last second to claim the credit, so you end up paying for installs you were always going to get.
Click injection is an Android-specific form of mobile ad fraud that has been draining install budgets for years, and its defining move is to steal the credit for a genuine install rather than fabricate a fake one.
The tell is not the install count, which looks healthy, and not the users, who behave like the real people they are. It is that the source is being paid for installs you would have won without it.
Contents
Key takeaways
- Click injection is an Android-only scheme. A malicious app already on the device detects that an install is starting and fires a fake click right before the app opens, so the credit lands on the fraudulent click instead of the source that earned it.
- It works because mobile attribution rewards the last click before an install. The injected click wins on timing alone, not because it drove anything.
- The clearest signal is timing. Injected installs show a very short click-to-install time, often within 3 to 10 seconds, and the Google Play Install Referrer can expose a click that arrived after the install had already begun.
- Timing detection is probabilistic and reads patterns across many installs, not a single fast one, so it works alongside measurement-partner filtering and post-install behavior checks rather than on its own.
What Click Injection Is
Click injection hijacks the payout for an install that was always going to happen.
The user finds your app through search, a friend, or a different campaign and starts installing it. A piece of software already on the phone notices that an install is underway and sends a fake ad click at the last possible moment, just before the app opens.
To the measurement system, that click now looks like the thing that drove the install, so the reward flows to whoever sent it. AppsFlyer describes the mechanism plainly: “junk apps” sit dormant on the device, listen for the system signal that a new app is being installed, and wake up to fire a click that steals credit for an organic install or another source genuinely earned.
The reason this is an Android problem is architectural. Android lets installed apps listen for system broadcasts, including the signal that a new app is being added. That broadcast is the opening that a malicious app needs to time its click perfectly. iOS does not expose install activity to other apps in the same way, so the technique does not carry over.
Why Last-Click Attribution Makes It Possible
To see why one well-timed click is worth stealing, you have to look at how installs get credited. Mobile measurement runs on last-click attribution: when someone installs an app, the mobile measurement partner, the platform that adjudicates these claims, awards the install to whichever source delivered the most recent click before installation. The rule is simple and easy to administer, and it holds up well until someone learns to control the timing.
Click injection controls the timing by making sure the fraudulent click is always the last one. The user may have discovered your app on their own, but the injected click lands a fraction of a second before the app finishes installing, so it wins the attribution race by default. The source that genuinely earned the install gets nothing, and the budget drifts toward a source that added no real value.
Click Injection
Legitimate click vs injected click
Why a fake click wins credit for an install it never drove
The legitimate click happens before the install starts. The injected click is fired after installation has already begun, then claims the credit. Comparing the click time against the install-begin timestamp from the Google Play Install Referrer is what exposes the fraud.
How Click Injection Compares to Other Install Fraud
Click injection is one of several schemes that manipulate install attribution, and they are easy to confuse because they all end in the same place: credit assigned to a source that did not earn it. The differences are in when the fake signal fires and what it leaves behind. The table below follows the taxonomy Adjust uses in its breakdown of click spam and related fraud.
| Fraud type | How it works | When the fake signal fires | Telltale trait |
| Click injection | A malicious app detects an install in progress and fires a click just before the first launch | In the seconds during installation | Android-specific; very short click-to-install time |
| Click spam / click flooding | Sends large volumes of fake clicks with no real ad shown, betting one lands before an organic install | Before the install, sometimes hours or days ahead | Long, scattered click-to-install times; very low conversion per click |
| SDK spoofing | Fabricates install or engagement signals by imitating measurement-SDK traffic | Entirely server-side, no real device | No real click, no real device behind the signal |
| Fake installs | Uses real or emulated devices, bots, or device farms to generate installs | Around a real or simulated install event | Often mixed with genuine traffic to stay hidden |
Keeping these apart matters because they leave different fingerprints, and the timing signal that catches one will miss another. Click injection and click flooding sit at opposite ends of the same measurement: injection collapses the time between click and install, while flooding stretches it out.
How to Spot It: The Timing Signals
The strongest tell is time, and the metric that carries it is click-to-install time, or CTIT, the gap between the recorded click and the first time the app opens. A genuine journey has friction built into it. A person taps an ad, waits for the store page, reads it, taps install, waits for the download, and only then opens the app, so the elapsed time is usually measured in minutes.
An injected click is fired as installation completes, which compresses that gap to almost nothing. Adjust reports that click injection “results in a very short CTIT, typically within 3 to 10 seconds,” and that band is one of the clearer markers a detection system can act on.
The Google Play Install Referrer adds a sharper instrument. As Adjust’s install-referrer explainer notes, the referral content the Play Store returns can include both the timestamp of when the click occurred and the timestamp of when the install began. Those two numbers are what break the trick open. A real ad click happens before the install starts; an injected click happens after it has already begun. When the recorded click lands inside the install window rather than ahead of it, the sequence is physically backwards, and the claim can be rejected.
Click Injection
Where real and injected installs land on the clock
Injected installs bunch up in the first seconds. Real ones spread across minutes.
Real installs spread across minutes as people open the store page, download the app, and launch it. Injected installs cluster at a click-to-install time of just 3 to 10 seconds, because the fake click fires as the install finishes. A source whose installs pile up in that band is the one to investigate.
When a Fast Install Is Innocent
Timing signals are powerful, but treating a short install time as proof of fraud is where teams get into trouble.
A fast CTIT can be perfectly innocent. Adjust’s own breakdown lists several ordinary causes, including small app download size, fast network connections, and high-performing devices, all of which can shorten the gap between click and first open.
A single quick install is not evidence of anything. What detection actually leans on is the shape of the distribution across many installs: a source where a large cluster of conversions all land in the 3-to-10-second band looks very different from one with the natural spread of real human behavior.
The Install Referrer has some limits too. It covers the Google Play Store, and other Android stores such as Samsung’s Galaxy Store and Huawei’s AppGallery run their own referrer systems, so coverage depends on where the install came from. Sideloaded installs and unusual distribution paths fall outside it.
And because the whole scheme is Android-specific, none of this applies to iOS, which solves the click-injection problem through platform design rather than detection. What buying teams often underestimate is how ordinary a single injected install looks in isolation. The fraud is legible in aggregate, not in any one line of a report.
How Platforms and Advertisers Defend Against It
The same timestamps that make injection possible also make it detectable, and the industry has organized around catching it.
Measurement partners run real-time filtering that compares click and install timestamps and rejects claims that do not line up before they reach your billing.
On the supply side, companies apply its own validation so that suspicious install patterns are flagged and filtered rather than passed along as clean conversions.
None of these layers is a single gate. Each one catches what the others miss, and each works on probabilities rather than certainties, which is why human review still sits behind the automated rules when a source is borderline.
Advertisers have a real part to play, because no filter replaces watching your own data.
The catch with click injection is that the installs come from real users, so they do not stand out in engagement or retention. Those people behave normally because they genuinely wanted the app, which means post-install quality is the wrong place to look.
The mismatch that exposes injection is incrementality: a source built on injected installs keeps claiming conversions that would have arrived anyway, so its reported volume barely moves when you cut or pause its spend.
Watching whether a source’s installs actually rise and fall with budget, routing attribution through a measurement partner that enforces install-referrer checks, and treating any source with a suspiciously tight CTIT cluster as something to investigate before scaling it, closes most of the gap that injection relies on.
Wrapping Up
Click injection persists because it sits on top of behavior that is entirely real, which makes it harder to dismiss than obviously fabricated traffic.
The practical move is to stop reading install counts as a measure of a source’s worth and start asking whether each source actually adds installs you would not otherwise have won. Pair that question with a measurement partner that enforces install-referrer timestamps and CTIT checks, and the leak that injection depends on mostly closes.
The advertisers who lose the least are the ones who test whether a source is driving installs or just claiming them.
FAQ
Is click injection the same as click fraud?
Not exactly. Click fraud is a broad label for any scheme built on fake or manipulated clicks. Click injection is one specific variety, aimed at stealing attribution for installs that were already going to happen by timing a fake click to be the last one before the app opens.
Does click injection affect iOS?
It is overwhelmingly an Android phenomenon. The technique depends on Android’s install broadcasts to detect the exact moment an install begins. iOS does not expose that signal to other apps, so the approach does not translate.
Can the Google Play Install Referrer stop it on its own?
It is the single most useful tool, because its install-begin timestamp shows when a click arrived relative to the install. On its own, it is a strong filter, but it covers Play Store installs rather than every Android distribution path, so most defenders pair it with CTIT analysis and measurement-partner filtering.
How do I know if my own campaigns are affected?
Because the installs come from real users, engagement and retention usually look fine, so those are the wrong signals to chase. Look instead at click-to-install times that bunch up in the first few seconds, and at whether a source’s install volume actually responds when you change its budget. A source that keeps claiming installs after you cut spending is taking credit it did not earn. Your measurement partner’s fraud reports will usually flag the timing pattern directly.