{"id":5780,"date":"2026-06-23T07:04:46","date_gmt":"2026-06-23T07:04:46","guid":{"rendered":"https:\/\/adex.com\/blog\/?p=5780"},"modified":"2026-06-24T09:30:52","modified_gmt":"2026-06-24T09:30:52","slug":"sdk-spoofing-fake-in-app-events","status":"publish","type":"post","link":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/","title":{"rendered":"SDK Spoofing: How Fraudsters Fake In-App Events"},"content":{"rendered":"\n<p>A source shows up in your dashboard looking like the best partner you have ever run. It is delivering installs, and behind each one a full funnel: sign-ups, tutorial completions, add-to-carts, even purchases, all at a cost per action that makes every other channel look slow. You lean into it, and you move budget toward it.<\/p>\n\n\n\n<p>Then the part that should follow never arrives. The in-app revenue tied to those purchases never lands, the users behind the installs never open a second session, and the cohort that looked so healthy on day one flattens to nothing by day three.<\/p>\n\n\n\n<p>The reason is that there were never any people. A fraudster studied the signals your app&#8217;s measurement <a href=\"https:\/\/www.adjust.com\/glossary\/sdk\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">software development kit (SDK)<\/a> sends when a real person installs the app and triggers events, learned how to reproduce those signals, and then fired thousands of them from a server with no phone and no user anywhere in the loop.&nbsp;<\/p>\n\n\n\n<p>This is SDK spoofing, and it is one of the harder forms of <a href=\"https:\/\/www.appsflyer.com\/glossary\/mobile-ad-fraud\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">mobile ad fraud<\/a> to catch because the fake traffic is designed to look exactly like the real thing, all the way down to the protocol.<\/p>\n\n\n<div class=\"toc\"><h4 class=\"toc__title\" id=\"contents\">Contents<\/h4><ul class=\"toc__list\"><li class=\"toc__list_item\"><a href=\"#key-takeaways\">Key takeaways<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-sdk-spoofing-is\">What SDK Spoofing Is<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-the-attack-gets-built\">How the Attack Gets Built<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-fake-in-app-events-are-worth-more-than-fake-installs\">Why Fake In-App Events Are Worth More Than Fake Installs<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-it-compares-to-other-install-fraud\">How It Compares to Other Install Fraud<\/a><\/li><li class=\"toc__list_item\"><a href=\"#the-signals-that-expose-it\">The Signals That Expose It<\/a><\/li><li class=\"toc__list_item\"><a href=\"#why-encryption-alone-does-not-stop-it\">Why Encryption Alone Does Not Stop It<\/a><\/li><li class=\"toc__list_item\"><a href=\"#how-measurement-partners-and-platforms-defend-against-it\">How Measurement Partners and Platforms Defend Against It<\/a><\/li><li class=\"toc__list_item\"><a href=\"#what-advertisers-can-do\">What Advertisers Can Do<\/a><\/li><li class=\"toc__list_item\"><a href=\"#faq\">FAQ<\/a><\/li><\/ul><\/div><style>\n.toc {}\n.toc__title {\n      font-size: 32px;\n    line-height: 40px;\n    font-weight: 700;\n}\n.toc__list_item {\n    color: #FE645A !important;\n}\n.toc__list_item:not(:last-child){\n    margin-bottom: 5px;\n}\n.toc__list_item a {\n    font-size: 18px;\n    line-height: 24px;\n    color: #FE645A;\n    font-weight: 600;\n}\n.toc__list_item a:hover {\n    text-decoration: underline;\n}\n@media (max-width: 1023px) {.toc__title {font-size: 24px;line-height: 32px;}}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"key-takeaways\">Key takeaways<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SDK spoofing fakes installs and in-app events by copying the messages a measurement SDK sends to its server and sending them at scale. There is no real phone and no real user behind any of them.<\/li>\n\n\n\n<li>This sets it apart from click fraud. A click injection scheme steals credit for a real person&#8217;s install; SDK spoofing makes up the whole event, so no real person is ever there.<\/li>\n\n\n\n<li>Faking events pays more than faking installs alone. Once advertisers started paying per action, fraudsters began faking whole event chains to look like real users and earn the higher payout.<\/li>\n\n\n\n<li>Encryption hides the data in transit, but it does not prove who sent it. The real defense is signing each request, backed by a closed-source SDK that makes the protocol hard to copy.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-sdk-spoofing-is\">What SDK Spoofing Is<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.adjust.com\/glossary\/sdk-spoofing\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Adjust defines SDK spoofing<\/a> as a form of mobile ad fraud in which attackers forge the communication between an app&#8217;s SDK and its backend servers, generating install and engagement signals that look authentic without any real user activity behind them.&nbsp;<\/p>\n\n\n\n<p>It is sometimes called traffic spoofing or a replay attack, because the core move is to capture the shape of a legitimate signal and send it again, over and over, with the values changed.<\/p>\n\n\n\n<p>The trick lives in one specific place: the conversation between the measurement SDK inside an app and the <a href=\"https:\/\/www.adjust.com\/glossary\/mobile-measurement-partner-mmp\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">mobile measurement partner (MMP)<\/a> that records what happened. Every time someone installs an app or fires an event inside it, the SDK sends a small, structured message to the MMP saying so. SDK spoofing is the craft of writing those messages by hand, convincingly enough that the MMP records them as real. <a href=\"https:\/\/www.appsflyer.com\/glossary\/sdk-spoofing\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">AppsFlyer, which also calls it SDK hacking<\/a>, describes the same outcome from the other end: an advertiser ends up paying for tens or even hundreds of thousands of installs that never actually occurred.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>What makes it stand apart from the rest of the fraud family is how little it needs. There is no phone farm to maintain, no emulator fleet to keep ahead of detection, no real person to recruit. Once the attacker has a working message, a single server can produce fraudulent installs all day, which is part of why the technique scales so cheaply and stays profitable.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-the-attack-gets-built\">How the Attack Gets Built<\/h2>\n\n\n\n<p>The work happens before any fake traffic is sent, in a quiet reconnaissance phase. Following the breakdown, Adjust lays out how it runs in three stages.<\/p>\n\n\n\n<p>1. <strong>The attacker breaks open the secure channel&nbsp;<\/strong><\/p>\n\n\n\n<p>The SDK talks to its servers over an encrypted connection, so the attacker sits in the middle of their own test device and the MMP, a setup known as a man-in-the-middle (MITM) approach, and watches the traffic go by.&nbsp;<\/p>\n\n\n\n<p>2. <strong>Reverse engineer the calls&nbsp;<\/strong><\/p>\n\n\n\n<p>By generating a handful of real installs and events on that test device, they learn which network request corresponds to an install, which one corresponds to a purchase, which fields stay the same every time, and which fields are dynamic and have to be filled in correctly for the call to be accepted.<\/p>\n\n\n\n<p>3. <strong>Once they understand the recipe, they automate it<\/strong><\/p>\n\n\n\n<p>They generate large volumes of fake installs and post-install events with no user touching anything, and because the calls carry plausible device data, often harvested from real but compromised apps, they slide past the basic checks and get attributed as genuine.<\/p>\n\n\n\n<p>There is a second route to the same place, and it matters because it explains why the problem is stubborn.&nbsp;<\/p>\n\n\n\n<p>As <a href=\"https:\/\/www.appsflyer.com\/blog\/mobile-fraud\/closed-source-sdk-is-essential\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">AppsFlyer has argued<\/a>, much of the public discussion frames SDK spoofing as a network attack, but the data can also be tampered with before it ever reaches the network.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Using runtime instrumentation tools, an attacker can hook into the app while it is running and change the values the SDK is about to send, then let the SDK package and sign and transmit them normally. The message leaves the device looking perfectly legitimate because, as far as the SDK is concerned, it is.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<div class=\"adtech-sdk-spoofing-block\">\n  <style>\n    .adtech-sdk-spoofing-block,\n    .adtech-sdk-spoofing-block * {\n      box-sizing: border-box;\n    }\n\n\n.adtech-sdk-spoofing-block {\n  width: 100%;\n  max-width: 1600px;\n  margin: 32px 0;\n  padding: 34px 28px 32px;\n  background-color: #120066;\n  background-image: linear-gradient(180deg, #150067 0%, #10005a 100%);\n  border-radius: 18px;\n  font-family: Inter, -apple-system, BlinkMacSystemFont, \"Segoe UI\", Arial, sans-serif;\n  color: #ffffff;\n  overflow: hidden;\n}\n\n.adtech-sdk-spoofing-block .assb-eyebrow {\n  margin: 0 0 14px;\n  color: #00dfc8;\n  font-size: 12px;\n  line-height: 1.3;\n  font-weight: 800;\n  letter-spacing: 0.16em;\n  text-transform: uppercase;\n}\n\n.adtech-sdk-spoofing-block .assb-title {\n  margin: 0 0 26px;\n  color: #ffffff;\n  font-size: 28px;\n  line-height: 1.18;\n  font-weight: 800;\n  letter-spacing: -0.03em;\n}\n\n.adtech-sdk-spoofing-block .assb-stage-grid {\n  display: grid;\n  grid-template-columns: repeat(4, minmax(0, 1fr));\n  gap: 10px;\n  width: 100%;\n}\n\n.adtech-sdk-spoofing-block .assb-stage-card {\n  min-width: 0;\n  min-height: 178px;\n  padding: 16px 12px 14px;\n  background-color: rgba(255, 255, 255, 0.055);\n  border: 1px solid rgba(255, 255, 255, 0.14);\n  border-top: 3px solid #00dfc8;\n  border-radius: 14px;\n  overflow-wrap: anywhere;\n}\n\n.adtech-sdk-spoofing-block .assb-stage-card-danger {\n  border-top-color: #ff654f;\n}\n\n.adtech-sdk-spoofing-block .assb-stage-number {\n  margin: 0 0 14px;\n  color: #b6a6ee;\n  font-size: 10px;\n  line-height: 1.3;\n  font-weight: 800;\n  letter-spacing: 0.13em;\n  text-transform: uppercase;\n}\n\n.adtech-sdk-spoofing-block .assb-icon {\n  width: 24px;\n  height: 24px;\n  margin-bottom: 12px;\n  display: block;\n  color: #00dfc8;\n}\n\n.adtech-sdk-spoofing-block .assb-icon-danger {\n  color: #ff654f;\n}\n\n.adtech-sdk-spoofing-block .assb-icon svg {\n  width: 100%;\n  height: 100%;\n  display: block;\n  fill: none;\n  stroke: currentColor;\n  stroke-width: 2.2;\n  stroke-linecap: round;\n  stroke-linejoin: round;\n}\n\n.adtech-sdk-spoofing-block .assb-stage-title {\n  margin: 0 0 7px;\n  color: #ffffff;\n  font-size: 15px;\n  line-height: 1.2;\n  font-weight: 800;\n  letter-spacing: -0.02em;\n}\n\n.adtech-sdk-spoofing-block .assb-stage-text {\n  margin: 0;\n  color: #c6bdec;\n  font-size: 11px;\n  line-height: 1.38;\n  font-weight: 600;\n}\n\n.adtech-sdk-spoofing-block .assb-dynamic-word {\n  color: #a665d7;\n  font-weight: 800;\n}\n\n.adtech-sdk-spoofing-block .assb-divider {\n  position: relative;\n  margin: 24px 0 22px;\n  height: 18px;\n  display: flex;\n  align-items: center;\n  justify-content: center;\n}\n\n.adtech-sdk-spoofing-block .assb-divider::before {\n  content: \"\";\n  position: absolute;\n  left: 0;\n  right: 0;\n  top: 50%;\n  height: 1px;\n  background-color: rgba(255, 101, 79, 0.55);\n}\n\n.adtech-sdk-spoofing-block .assb-divider span {\n  position: relative;\n  z-index: 1;\n  padding: 0 18px;\n  background-color: #120066;\n  color: #ff654f;\n  font-size: 12px;\n  line-height: 1.3;\n  font-weight: 900;\n  letter-spacing: 0.08em;\n  text-transform: uppercase;\n  white-space: nowrap;\n}\n\n.adtech-sdk-spoofing-block .assb-alt-path {\n  padding: 18px 20px;\n  border: 1px dashed rgba(166, 101, 215, 0.9);\n  border-radius: 14px;\n  background-color: rgba(166, 101, 215, 0.08);\n}\n\n.adtech-sdk-spoofing-block .assb-alt-title {\n  margin: 0 0 12px;\n  color: #a665d7;\n  font-size: 13px;\n  line-height: 1.35;\n  font-weight: 900;\n  letter-spacing: 0.12em;\n  text-transform: uppercase;\n}\n\n.adtech-sdk-spoofing-block .assb-alt-text {\n  margin: 0;\n  color: #ffffff;\n  font-size: 14px;\n  line-height: 1.55;\n  font-weight: 700;\n}\n\n.adtech-sdk-spoofing-block .assb-warning {\n  margin: 20px 0 22px;\n  padding: 4px 0 4px 18px;\n  border-left: 3px solid #ff654f;\n  color: #ffffff;\n  font-size: 16px;\n  line-height: 1.45;\n  font-weight: 800;\n}\n\n.adtech-sdk-spoofing-block .assb-legend {\n  padding-top: 18px;\n  border-top: 1px solid rgba(255, 255, 255, 0.12);\n  display: flex;\n  flex-wrap: nowrap;\n  gap: 14px;\n  align-items: center;\n  justify-content: flex-start;\n  width: 100%;\n}\n\n.adtech-sdk-spoofing-block .assb-legend-item {\n  display: inline-flex;\n  align-items: center;\n  gap: 7px;\n  color: #b6a6ee;\n  font-size: 11px;\n  line-height: 1.35;\n  font-weight: 600;\n  white-space: nowrap;\n}\n\n.adtech-sdk-spoofing-block .assb-legend-dot {\n  width: 10px;\n  height: 10px;\n  border-radius: 3px;\n  display: inline-block;\n  flex: 0 0 auto;\n}\n\n.adtech-sdk-spoofing-block .assb-dot-teal {\n  background-color: #00dfc8;\n}\n\n.adtech-sdk-spoofing-block .assb-dot-purple {\n  background-color: #a665d7;\n}\n\n.adtech-sdk-spoofing-block .assb-dot-orange {\n  background-color: #ff654f;\n}\n\n@media (max-width: 900px) {\n  .adtech-sdk-spoofing-block {\n    padding: 30px 20px 28px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-title {\n    font-size: 24px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-grid {\n    gap: 8px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-card {\n    min-height: 165px;\n    padding: 14px 9px 12px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-number {\n    font-size: 8px;\n    margin-bottom: 11px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-icon {\n    width: 20px;\n    height: 20px;\n    margin-bottom: 9px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-title {\n    font-size: 12px;\n    margin-bottom: 6px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-text {\n    font-size: 9px;\n    line-height: 1.34;\n  }\n\n  .adtech-sdk-spoofing-block .assb-legend {\n    gap: 10px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-legend-item {\n    font-size: 9.5px;\n  }\n}\n\n@media (max-width: 680px) {\n  .adtech-sdk-spoofing-block {\n    padding: 26px 12px 24px;\n    border-radius: 16px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-title {\n    font-size: 21px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-grid {\n    gap: 5px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-card {\n    min-height: 152px;\n    padding: 11px 6px 10px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-number {\n    font-size: 7px;\n    margin-bottom: 9px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-icon {\n    width: 18px;\n    height: 18px;\n    margin-bottom: 8px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-title {\n    font-size: 10.5px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-stage-text {\n    font-size: 8px;\n    line-height: 1.3;\n  }\n\n  .adtech-sdk-spoofing-block .assb-divider span {\n    font-size: 10px;\n    padding: 0 10px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-alt-title {\n    font-size: 11px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-alt-text {\n    font-size: 12px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-warning {\n    font-size: 13px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-legend {\n    flex-wrap: wrap;\n    gap: 8px 12px;\n  }\n\n  .adtech-sdk-spoofing-block .assb-legend-item {\n    font-size: 10px;\n  }\n}\n\n\n  <\/style>\n\n  <p class=\"assb-eyebrow\">SDK Spoofing<\/p>\n  <h3 class=\"assb-title\" id=\"how-an-sdk-spoofing-attack-is-assembled\">How an SDK Spoofing Attack Is Assembled<\/h3>\n\n  <div class=\"assb-stage-grid\" aria-label=\"Four stages of an SDK spoofing attack\">\n    <div class=\"assb-stage-card\">\n      <p class=\"assb-stage-number\">Stage 01<\/p>\n      <span class=\"assb-icon\" aria-hidden=\"true\">\n        <svg viewBox=\"0 0 40 40\">\n          <rect x=\"4\" y=\"11\" width=\"9\" height=\"18\" rx=\"2\"><\/rect>\n          <rect x=\"27\" y=\"11\" width=\"9\" height=\"18\" rx=\"2\"><\/rect>\n          <circle cx=\"20\" cy=\"20\" r=\"3\"><\/circle>\n          <path d=\"M13 20h4M23 20h4M18 18l-2-3M22 18l2-3\"><\/path>\n        <\/svg>\n      <\/span>\n      <p class=\"assb-stage-title\">Intercept<\/p>\n      <p class=\"assb-stage-text\">A man-in-the-middle setup on the attacker&#8217;s own test device watches the encrypted SDK traffic.<\/p>\n    <\/div>\n\n\n<div class=\"assb-stage-card\">\n  <p class=\"assb-stage-number\">Stage 02<\/p>\n  <span class=\"assb-icon\" aria-hidden=\"true\">\n    <svg viewBox=\"0 0 40 40\">\n      <rect x=\"9\" y=\"6\" width=\"17\" height=\"24\" rx=\"2\"><\/rect>\n      <path d=\"M14 13h7M14 18h7M14 23h5\"><\/path>\n      <circle cx=\"27\" cy=\"27\" r=\"7\"><\/circle>\n      <path d=\"M32 32l4 4\"><\/path>\n    <\/svg>\n  <\/span>\n  <p class=\"assb-stage-title\">Reverse Engineer<\/p>\n  <p class=\"assb-stage-text\">They learn which calls mean an install or a purchase, and which fields are static versus <span class=\"assb-dynamic-word\">dynamic.<\/span><\/p>\n<\/div>\n\n<div class=\"assb-stage-card assb-stage-card-danger\">\n  <p class=\"assb-stage-number\">Stage 03<\/p>\n  <span class=\"assb-icon assb-icon-danger\" aria-hidden=\"true\">\n    <svg viewBox=\"0 0 40 40\">\n      <rect x=\"5\" y=\"17\" width=\"8\" height=\"8\" rx=\"2\"><\/rect>\n      <rect x=\"27\" y=\"6\" width=\"8\" height=\"8\" rx=\"2\"><\/rect>\n      <rect x=\"27\" y=\"17\" width=\"8\" height=\"8\" rx=\"2\"><\/rect>\n      <rect x=\"27\" y=\"28\" width=\"8\" height=\"8\" rx=\"2\"><\/rect>\n      <path d=\"M13 21h8M21 21l6-11M21 21h6M21 21l6 11\"><\/path>\n    <\/svg>\n  <\/span>\n  <p class=\"assb-stage-title\">Replay at Scale<\/p>\n  <p class=\"assb-stage-text\">One server fires thousands of fabricated calls, with no real device or user behind any of them.<\/p>\n<\/div>\n\n<div class=\"assb-stage-card assb-stage-card-danger\">\n  <p class=\"assb-stage-number\">Stage 04<\/p>\n  <span class=\"assb-icon assb-icon-danger\" aria-hidden=\"true\">\n    <svg viewBox=\"0 0 40 40\">\n      <rect x=\"10\" y=\"7\" width=\"20\" height=\"28\" rx=\"2\"><\/rect>\n      <path d=\"M15 18l4 4 8-9\"><\/path>\n      <path d=\"M15 7h10\"><\/path>\n    <\/svg>\n  <\/span>\n  <p class=\"assb-stage-title\">Attributed as Real<\/p>\n  <p class=\"assb-stage-text\">The measurement partner records the fake signals as genuine installs and events.<\/p>\n<\/div>\n\n\n  <\/div>\n\n  <div class=\"assb-divider\">\n    <span>Fabrication begins here<\/span>\n  <\/div>\n\n  <div class=\"assb-alt-path\">\n    <p class=\"assb-alt-title\">Alternate path: on-device runtime tampering<\/p>\n    <p class=\"assb-alt-text\">Instead of replaying calls from a server, the attacker changes the values inside the app while it runs, then lets the SDK sign and send them. The traffic leaves the device looking perfectly valid.<\/p>\n  <\/div>\n\n  <p class=\"assb-warning\">No real phone or user exists past the attacker&#8217;s test device. Everything downstream is fabricated.<\/p>\n\n  <div class=\"assb-legend\" aria-label=\"Legend\">\n    <span class=\"assb-legend-item\">\n      <span class=\"assb-legend-dot assb-dot-teal\"><\/span>\n      Recon on the attacker&#8217;s own test device\n    <\/span>\n    <span class=\"assb-legend-item\">\n      <span class=\"assb-legend-dot assb-dot-purple\"><\/span>\n      Dynamic fields they must get right\n    <\/span>\n    <span class=\"assb-legend-item\">\n      <span class=\"assb-legend-dot assb-dot-orange\"><\/span>\n      Fabricated traffic, no real user\n    <\/span>\n  <\/div>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-fake-in-app-events-are-worth-more-than-fake-installs\">Why Fake In-App Events Are Worth More Than Fake Installs<\/h2>\n\n\n\n<p>Spoofing did not start by faking purchases. It started by faking installs because, for a long time, installs were what advertisers paid for.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p><strong>As measurement matured and buyers got tired of paying for installs that never turned into anything, the money moved to cost-per-action deals, where a source earns its fee only when a user registers, subscribes, reaches a level, or buys. That shift was good for advertisers, and it changed the economics of fraud at the same time.<\/strong><\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>If a source is paid per install, a fabricated install is the whole prize. If a source is paid per purchase, a fabricated install earns nothing on its own, so the fraudster has to fabricate the purchase too.&nbsp;<\/p>\n\n\n\n<p>That is the reason spoofed traffic so often arrives with a believable sequence of in-app events attached. A bare install with no activity behind it is suspicious and cheap. An install followed by a sign-up, a tutorial completion, and a first purchase looks like a high-value user and pays like one. The fraudster builds the funnel because the funnel is where the budget is.<\/p>\n\n\n\n<p>This is also what makes spoofed in-app events more corrosive than spoofed installs alone.&nbsp;<\/p>\n\n\n\n<p>The deeper damage is to your optimization. When fabricated purchase events flow into your reporting, the source that produced them looks like your strongest driver of revenue, so your bidding and your budget allocation tilt toward it, and the better the fake funnel, the more real money it pulls in.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/device-fingerprinting-fraud-prevention-gdpr\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-device-fingerprinting-balance.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-device-fingerprinting-balance.png\" sizes=\"100vw\" alt=\"How to balance between device fingerprinting and user security?\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/guides\/\" class=\"block__preview_box-cat\">Guides<\/a>        <h3 class=\"block__preview_box-title\" id=\"device-fingerprinting-for-fraud-prevention-navigating-gdpr-and-privacy-constraints\"><a href=\"https:\/\/adex.com\/blog\/device-fingerprinting-fraud-prevention-gdpr\/\">Device Fingerprinting for Fraud Prevention: Navigating GDPR and Privacy Constraints<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-it-compares-to-other-install-fraud\">How It Compares to Other Install Fraud<\/h2>\n\n\n\n<p>SDK spoofing is one of several schemes that end with credit assigned to a source that did not earn it, and they are easy to blur together.&nbsp;<\/p>\n\n\n\n<p>The clean way to separate them is to ask two questions: is there a real device involved, and is there a real person? SDK spoofing is the only one where the answer to both is no.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>Fraud type<\/strong><\/th><th><strong>What gets faked<\/strong><\/th><th><strong>Real device?<\/strong><\/th><th><strong>Real user?<\/strong><\/th><th><strong>Telltale trait<\/strong><\/th><\/tr><\/thead><tbody><tr><td>SDK spoofing<\/td><td>Installs and in-app events, forged at the protocol level<\/td><td>No<\/td><td>No<\/td><td>Signals are server-generated; no device or user exists behind them<\/td><\/tr><tr><td>Click injection<\/td><td>The attribution credit for an install<\/td><td>Yes<\/td><td>Yes<\/td><td>Android-specific; a fake click fired in the seconds during an install<\/td><\/tr><tr><td>Click spam \/ flooding<\/td><td>Large volumes of clicks ahead of an organic install<\/td><td>Mixed<\/td><td>Sometimes, a real organic user is poached<\/td><td>Long, scattered click-to-install times<\/td><\/tr><tr><td>Device emulation<\/td><td>Installs and activity on virtual devices<\/td><td>Emulated<\/td><td>No<\/td><td>Emulator signatures and tell-tale behavioral patterns<\/td><\/tr><tr><td>Fake installs<\/td><td>Installs from devices or bots<\/td><td>Real or emulated<\/td><td>No genuine intent<\/td><td>Often mixed with real traffic to stay hidden<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The line that matters most for detection is the one between SDK spoofing and click injection, because the two demand opposite instincts. Click injection rides on top of real installs by real people who genuinely wanted the app, so those users engage and retain normally and you cannot catch the fraud by looking at their behavior. SDK spoofing is the reverse. There is no user, so there is no behavior to find, and the absence of behavior is exactly the thing that gives it away. Chasing retention is the wrong move against injection and the right one against spoofing.<\/p>\n\n\n\n<div class=\"adtech-real-vs-spoofed-block\">\n  <style>\n    .adtech-real-vs-spoofed-block,\n    .adtech-real-vs-spoofed-block * {\n      box-sizing: border-box;\n    }\n\n\n.adtech-real-vs-spoofed-block {\n  width: 100%;\n  max-width: 1180px;\n  margin: 32px 0;\n  padding: 34px 30px 32px;\n  background-color: #120066;\n  background-image: linear-gradient(180deg, #150067 0%, #10005a 100%);\n  border-radius: 18px;\n  font-family: Inter, -apple-system, BlinkMacSystemFont, \"Segoe UI\", Arial, sans-serif;\n  color: #ffffff;\n  overflow: hidden;\n}\n\n.adtech-real-vs-spoofed-block .arvs-eyebrow {\n  margin: 0 0 14px;\n  color: #5ff0d5;\n  font-size: 15px;\n  line-height: 1.25;\n  font-weight: 900;\n  letter-spacing: 0.16em;\n  text-transform: uppercase;\n}\n\n.adtech-real-vs-spoofed-block .arvs-title {\n  margin: 0 0 28px;\n  color: #ffffff;\n  font-size: 30px;\n  line-height: 1.15;\n  font-weight: 900;\n  letter-spacing: -0.04em;\n}\n\n.adtech-real-vs-spoofed-block .arvs-grid {\n  display: grid;\n  grid-template-columns: 210px minmax(0, 1fr) minmax(0, 1fr);\n  gap: 14px;\n  align-items: stretch;\n}\n\n.adtech-real-vs-spoofed-block .arvs-head-spacer {\n  min-height: 58px;\n}\n\n.adtech-real-vs-spoofed-block .arvs-column-head {\n  min-height: 58px;\n  padding: 13px 18px;\n  display: flex;\n  align-items: center;\n  border-radius: 14px;\n  color: #080053;\n  font-size: 21px;\n  line-height: 1.12;\n  font-weight: 900;\n  letter-spacing: 0.12em;\n  text-transform: uppercase;\n}\n\n.adtech-real-vs-spoofed-block .arvs-head-real {\n  background-color: #61d3c4;\n}\n\n.adtech-real-vs-spoofed-block .arvs-head-fake {\n  background-color: #ef6f5f;\n  color: #ffffff;\n}\n\n.adtech-real-vs-spoofed-block .arvs-row-label {\n  min-height: 104px;\n  display: flex;\n  align-items: center;\n  padding: 14px 18px;\n  color: #ffffff;\n  font-size: 22px;\n  line-height: 1.2;\n  font-weight: 900;\n  letter-spacing: -0.02em;\n}\n\n.adtech-real-vs-spoofed-block .arvs-card {\n  min-height: 104px;\n  padding: 16px 18px;\n  border-radius: 14px;\n  background-color: rgba(255, 255, 255, 0.055);\n  border: 2px solid rgba(255, 255, 255, 0.11);\n}\n\n.adtech-real-vs-spoofed-block .arvs-card-real {\n  border-left: 5px solid #61d3c4;\n}\n\n.adtech-real-vs-spoofed-block .arvs-card-fake {\n  border-left: 5px solid #ef6f5f;\n}\n\n.adtech-real-vs-spoofed-block .arvs-card-title {\n  margin: 0 0 9px;\n  display: flex;\n  align-items: center;\n  gap: 10px;\n  color: #61f0d4;\n  font-size: 20px;\n  line-height: 1.18;\n  font-weight: 900;\n  letter-spacing: -0.02em;\n}\n\n.adtech-real-vs-spoofed-block .arvs-card-fake .arvs-card-title {\n  color: #ff806c;\n}\n\n.adtech-real-vs-spoofed-block .arvs-symbol {\n  width: 22px;\n  min-width: 22px;\n  height: 22px;\n  display: inline-flex;\n  align-items: center;\n  justify-content: center;\n  font-size: 25px;\n  line-height: 1;\n  font-weight: 900;\n}\n\n.adtech-real-vs-spoofed-block .arvs-card-text {\n  margin: 0;\n  color: #cbc3f1;\n  font-size: 17px;\n  line-height: 1.32;\n  font-weight: 500;\n  letter-spacing: -0.02em;\n}\n\n.adtech-real-vs-spoofed-block .arvs-warning {\n  margin: 30px 0 0;\n  padding: 14px 0 14px 24px;\n  border-left: 4px solid #ef6f5f;\n  color: #ffffff;\n  font-size: 22px;\n  line-height: 1.35;\n  font-weight: 900;\n  letter-spacing: -0.02em;\n}\n\n@media (max-width: 1050px) {\n  .adtech-real-vs-spoofed-block {\n    padding: 32px 24px 30px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-grid {\n    grid-template-columns: 165px minmax(0, 1fr) minmax(0, 1fr);\n    gap: 12px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-title {\n    font-size: 28px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-column-head {\n    font-size: 18px;\n    padding: 12px 15px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-row-label {\n    min-height: 96px;\n    font-size: 20px;\n    padding: 12px 14px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card {\n    min-height: 96px;\n    padding: 14px 15px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-title {\n    font-size: 18px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-text {\n    font-size: 15.5px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-warning {\n    font-size: 20px;\n  }\n}\n\n@media (max-width: 780px) {\n  .adtech-real-vs-spoofed-block {\n    padding: 28px 16px 26px;\n    border-radius: 16px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-eyebrow {\n    font-size: 13px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-title {\n    font-size: 24px;\n    margin-bottom: 22px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-grid {\n    grid-template-columns: 92px minmax(0, 1fr) minmax(0, 1fr);\n    gap: 9px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-head-spacer {\n    min-height: 50px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-column-head {\n    min-height: 50px;\n    padding: 10px 12px;\n    border-radius: 12px;\n    font-size: 14px;\n    letter-spacing: 0.1em;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-row-label {\n    min-height: 88px;\n    padding: 10px 8px;\n    font-size: 16px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card {\n    min-height: 88px;\n    padding: 12px 11px;\n    border-radius: 12px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-real {\n    border-left-width: 4px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-fake {\n    border-left-width: 4px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-title {\n    margin-bottom: 7px;\n    gap: 7px;\n    font-size: 14px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-symbol {\n    width: 17px;\n    min-width: 17px;\n    height: 17px;\n    font-size: 19px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-text {\n    font-size: 12px;\n    line-height: 1.3;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-warning {\n    margin-top: 24px;\n    padding-left: 16px;\n    font-size: 16px;\n  }\n}\n\n@media (max-width: 520px) {\n  .adtech-real-vs-spoofed-block {\n    padding: 24px 12px 24px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-title {\n    font-size: 21px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-grid {\n    grid-template-columns: 1fr;\n    gap: 9px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-head-spacer {\n    display: none;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-row-label {\n    min-height: auto;\n    padding: 12px 0 0;\n    font-size: 18px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-column-head {\n    min-height: auto;\n    font-size: 16px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card {\n    min-height: auto;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-title {\n    font-size: 17px;\n  }\n\n  .adtech-real-vs-spoofed-block .arvs-card-text {\n    font-size: 15px;\n  }\n}\n\n\n  <\/style>\n\n  <p class=\"arvs-eyebrow\">SDK Spoofing<\/p>\n  <h3 class=\"arvs-title\" id=\"real-install-vs-spoofed-signal\">Real Install vs Spoofed Signal<\/h3>\n\n  <div class=\"arvs-grid\" aria-label=\"Comparison between a real install and a spoofed signal\">\n    <div class=\"arvs-head-spacer\"><\/div>\n    <div class=\"arvs-column-head arvs-head-real\">Real Install<\/div>\n    <div class=\"arvs-column-head arvs-head-fake\">Spoofed Signal<\/div>\n\n\n<div class=\"arvs-row-label\">Person<\/div>\n<div class=\"arvs-card arvs-card-real\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u2713<\/span> Real person<\/p>\n  <p class=\"arvs-card-text\">Someone genuinely wants the app.<\/p>\n<\/div>\n<div class=\"arvs-card arvs-card-fake\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u00d7<\/span> No one<\/p>\n  <p class=\"arvs-card-text\">There is no user at all.<\/p>\n<\/div>\n\n<div class=\"arvs-row-label\">Device<\/div>\n<div class=\"arvs-card arvs-card-real\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u2713<\/span> Real device<\/p>\n  <p class=\"arvs-card-text\">A genuine phone installs the app.<\/p>\n<\/div>\n<div class=\"arvs-card arvs-card-fake\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u00d7<\/span> No device<\/p>\n  <p class=\"arvs-card-text\">No phone performs the install.<\/p>\n<\/div>\n\n<div class=\"arvs-row-label\">App<\/div>\n<div class=\"arvs-card arvs-card-real\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u2713<\/span> App fires it<\/p>\n  <p class=\"arvs-card-text\">The real SDK sends the signal.<\/p>\n<\/div>\n<div class=\"arvs-card arvs-card-fake\">\n  <p class=\"arvs-card-title\">Forged<\/p>\n  <p class=\"arvs-card-text\">The calls are recreated by hand.<\/p>\n<\/div>\n\n<div class=\"arvs-row-label\">Signal<\/div>\n<div class=\"arvs-card arvs-card-real\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u2713<\/span> Authentic<\/p>\n  <p class=\"arvs-card-text\">One signal from a real session.<\/p>\n<\/div>\n<div class=\"arvs-card arvs-card-fake\">\n  <p class=\"arvs-card-title\">Fabricated<\/p>\n  <p class=\"arvs-card-text\">Fake signals sent at scale.<\/p>\n<\/div>\n\n<div class=\"arvs-row-label\">Attribution<\/div>\n<div class=\"arvs-card arvs-card-real\">\n  <p class=\"arvs-card-title\"><span class=\"arvs-symbol\">\u2713<\/span> Recorded right<\/p>\n  <p class=\"arvs-card-text\">Credit goes to the real source.<\/p>\n<\/div>\n<div class=\"arvs-card arvs-card-fake\">\n  <p class=\"arvs-card-title\">Recorded as real<\/p>\n  <p class=\"arvs-card-text\">The fake passes as a conversion.<\/p>\n<\/div>\n\n\n  <\/div>\n\n  <p class=\"arvs-warning\">The real chain is missing its first links: no person, no device. The fraud begins at the fabricated signal.<\/p>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"the-signals-that-expose-it\">The Signals That Expose It<\/h2>\n\n\n\n<p>Because spoofed traffic is engineered to look ordinary on the surface, the tells are rarely in any single record. They show up in patterns and in the gap between what a source claims and what reality later confirms.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"technical-signals\">Technical signals<\/h3>\n\n\n\n<p>The first family of signals is technical, and AppsFlyer points straight at it: SDK version anomalies. A spoofing operation reproduces whatever SDK version it captured during reconnaissance, which is often not the version your live app actually ships.&nbsp;<\/p>\n\n\n\n<p>So, installs arriving from an SDK version you never released, or a sudden spike in installs tied to one specific version that does not line up with your own release schedule, is a strong sign that something is generating traffic outside your real app.&nbsp;<\/p>\n\n\n\n<p>Your MMP can usually surface this directly, and asking your attribution provider for a fraud exposure report is a reasonable first step when a source looks too good.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/phishing-alert-telegram-fraud\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/07\/Adex-Telegram-fraud-account-hijacking.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2025\/07\/Adex-Telegram-fraud-account-hijacking.png\" sizes=\"100vw\" alt=\"Adex-Telegram-fraud-account-hijacking\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"phishing-scam-alert-telegram-fraud-and-account-hijacking-prevented\"><a href=\"https:\/\/adex.com\/blog\/phishing-alert-telegram-fraud\/\">[Phishing Scam Alert] Telegram Fraud and Account Hijacking Prevented<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"reality-gap\">Reality gap<\/h3>\n\n\n\n<p>The second family is the reality gap, and it is the one that an advertiser can watch without any special tooling.&nbsp;<\/p>\n\n\n\n<p>Spoofed events have no human behind them, so they never turn into the things only humans produce: the purchase events do not reconcile against the actual revenue in your payment system, the reported subscriptions never renew or show up in your billing, and the cohorts that looked busy in their first session flatten out because there is no one left to come back. None of these is proof by itself, since real campaigns have weak cohorts too, but a source whose reported value consistently fails to materialize as money or retention is telling you something the install count is not.<\/p>\n\n\n\n<div class=\"adtech-reality-gap-block\">\n  <style>\n    .adtech-reality-gap-block,\n    .adtech-reality-gap-block * {\n      box-sizing: border-box;\n    }\n\n\n.adtech-reality-gap-block {\n  width: 100%;\n  max-width: 1120px;\n  margin: 32px 0;\n  padding: 34px 34px 32px;\n  background-color: #120066;\n  background-image: linear-gradient(180deg, #150067 0%, #10005a 100%);\n  border-radius: 18px;\n  font-family: Inter, -apple-system, BlinkMacSystemFont, \"Segoe UI\", Arial, sans-serif;\n  color: #ffffff;\n  overflow: hidden;\n}\n\n.adtech-reality-gap-block .argb-eyebrow {\n  margin: 0 0 16px;\n  color: #5ff0d5;\n  font-size: 17px;\n  line-height: 1.25;\n  font-weight: 900;\n  letter-spacing: 0.16em;\n  text-transform: uppercase;\n}\n\n.adtech-reality-gap-block .argb-title {\n  margin: 0 0 26px;\n  color: #ffffff;\n  font-size: 30px;\n  line-height: 1.15;\n  font-weight: 900;\n  letter-spacing: -0.03em;\n}\n\n.adtech-reality-gap-block .argb-chart-wrap {\n  width: 100%;\n  margin: 0 0 22px;\n}\n\n.adtech-reality-gap-block .argb-chart {\n  display: block;\n  width: 100%;\n  height: auto;\n  max-height: 430px;\n}\n\n.adtech-reality-gap-block .argb-axis {\n  stroke: #44358d;\n  stroke-width: 2;\n}\n\n.adtech-reality-gap-block .argb-axis-text {\n  fill: #c6bdec;\n  font-family: Inter, Arial, sans-serif;\n  font-size: 18px;\n  font-weight: 500;\n}\n\n.adtech-reality-gap-block .argb-chart-label {\n  font-family: Inter, Arial, sans-serif;\n  font-size: 19px;\n  font-weight: 900;\n}\n\n.adtech-reality-gap-block .argb-chart-note {\n  fill: #ffffff;\n  font-family: Inter, Arial, sans-serif;\n  font-size: 20px;\n  font-weight: 900;\n}\n\n.adtech-reality-gap-block .argb-legend {\n  display: grid;\n  grid-template-columns: 1fr;\n  gap: 14px;\n  margin: 8px 0 26px;\n}\n\n.adtech-reality-gap-block .argb-legend-item {\n  display: flex;\n  align-items: center;\n  gap: 12px;\n  color: #c6bdec;\n  font-size: 18px;\n  line-height: 1.35;\n  font-weight: 500;\n}\n\n.adtech-reality-gap-block .argb-legend-line {\n  width: 28px;\n  height: 7px;\n  border-radius: 99px;\n  flex: 0 0 auto;\n}\n\n.adtech-reality-gap-block .argb-legend-reported {\n  background-color: #5fd7ce;\n}\n\n.adtech-reality-gap-block .argb-legend-confirmed {\n  background-color: #ef6f5f;\n}\n\n.adtech-reality-gap-block .argb-warning {\n  margin: 0;\n  padding: 15px 0 15px 26px;\n  border-left: 5px solid #ef6f5f;\n  color: #ffffff;\n  font-size: 23px;\n  line-height: 1.35;\n  font-weight: 900;\n  letter-spacing: -0.02em;\n}\n\n@media (max-width: 900px) {\n  .adtech-reality-gap-block {\n    padding: 30px 24px 28px;\n  }\n\n  .adtech-reality-gap-block .argb-title {\n    font-size: 26px;\n  }\n\n  .adtech-reality-gap-block .argb-chart {\n    max-height: 400px;\n  }\n\n  .adtech-reality-gap-block .argb-axis-text {\n    font-size: 16px;\n  }\n\n  .adtech-reality-gap-block .argb-chart-label {\n    font-size: 17px;\n  }\n\n  .adtech-reality-gap-block .argb-chart-note {\n    font-size: 18px;\n  }\n\n  .adtech-reality-gap-block .argb-legend-item {\n    font-size: 16px;\n  }\n\n  .adtech-reality-gap-block .argb-warning {\n    font-size: 20px;\n  }\n}\n\n@media (max-width: 640px) {\n  .adtech-reality-gap-block {\n    padding: 26px 16px 24px;\n    border-radius: 16px;\n  }\n\n  .adtech-reality-gap-block .argb-eyebrow {\n    font-size: 13px;\n  }\n\n  .adtech-reality-gap-block .argb-title {\n    font-size: 22px;\n    margin-bottom: 20px;\n  }\n\n  .adtech-reality-gap-block .argb-chart {\n    max-height: 340px;\n  }\n\n  .adtech-reality-gap-block .argb-axis-text {\n    font-size: 14px;\n  }\n\n  .adtech-reality-gap-block .argb-chart-label {\n    font-size: 15px;\n  }\n\n  .adtech-reality-gap-block .argb-chart-note {\n    font-size: 15px;\n  }\n\n  .adtech-reality-gap-block .argb-legend {\n    gap: 11px;\n    margin-bottom: 22px;\n  }\n\n  .adtech-reality-gap-block .argb-legend-item {\n    font-size: 14px;\n  }\n\n  .adtech-reality-gap-block .argb-warning {\n    padding-left: 18px;\n    font-size: 17px;\n  }\n}\n\n\n  <\/style>\n\n  <p class=\"argb-eyebrow\">SDK Spoofing<\/p>\n  <h3 class=\"argb-title\" id=\"the-reality-gap-reported-vs-confirmed\">The Reality Gap: Reported vs Confirmed<\/h3>\n\n  <div class=\"argb-chart-wrap\">\n    <svg class=\"argb-chart\" viewBox=\"0 0 980 430\" role=\"img\" aria-label=\"Chart showing reported outcomes staying high while confirmed revenue and retention decline over 30 days\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n      <line class=\"argb-axis\" x1=\"110\" y1=\"40\" x2=\"110\" y2=\"340\"><\/line>\n      <line class=\"argb-axis\" x1=\"110\" y1=\"340\" x2=\"910\" y2=\"340\"><\/line>\n\n&#8220;`\n  <text class=\"argb-axis-text\" x=\"58\" y=\"70\">High<\/text>\n  <text class=\"argb-axis-text\" x=\"58\" y=\"340\">Zero<\/text>\n  <text class=\"argb-axis-text\" x=\"38\" y=\"220\" transform=\"rotate(-90 38 220)\">Volume \/ outcomes<\/text>\n\n  <text class=\"argb-axis-text\" x=\"110\" y=\"378\">Day 1<\/text>\n  <text class=\"argb-axis-text\" x=\"850\" y=\"378\">Day 30<\/text>\n\n  <polygon points=\"110,112 240,96 370,118 500,100 630,110 760,92 910,104 910,338 110,338\" fill=\"#2f176c\" opacity=\"0.9\"><\/polygon>\n\n  <polyline points=\"110,112 240,96 370,118 500,100 630,110 760,92 910,104\" fill=\"none\" stroke=\"#5fd7ce\" stroke-width=\"5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/polyline>\n\n  <polyline points=\"110,205 240,235 370,262 500,288 630,316 760,334 910,348\" fill=\"none\" stroke=\"#ef6f5f\" stroke-width=\"5\" stroke-linecap=\"round\" stroke-linejoin=\"round\"><\/polyline>\n\n  <text class=\"argb-chart-label\" x=\"820\" y=\"86\" fill=\"#5ff0d5\">Reported<\/text>\n  <text class=\"argb-chart-label\" x=\"812\" y=\"334\" fill=\"#ff806c\">Confirmed<\/text>\n\n  <text class=\"argb-chart-note\" x=\"385\" y=\"204\">the gap that flags review<\/text>\n<\/svg>\n\n\n  <\/div>\n\n  <div class=\"argb-legend\">\n    <div class=\"argb-legend-item\">\n      <span class=\"argb-legend-line argb-legend-reported\"><\/span>\n      <span>Reported by source (installs and purchase events)<\/span>\n    <\/div>\n\n\n<div class=\"argb-legend-item\">\n  <span class=\"argb-legend-line argb-legend-confirmed\"><\/span>\n  <span>Confirmed revenue and day-7 retention<\/span>\n<\/div>\n\n\n  <\/div>\n\n  <p class=\"argb-warning\">A confident top line and a collapsed bottom line. The wider the gap, the stronger the reason to investigate the source.<\/p>\n<\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-encryption-alone-does-not-stop-it\">Why Encryption Alone Does Not Stop It<\/h2>\n\n\n\n<p>It is tempting to assume that an encrypted connection settles the matter, and this is where a lot of intuition goes wrong.&nbsp;<\/p>\n\n\n\n<p>Adjust&#8217;s own <a href=\"https:\/\/help.adjust.com\/en\/article\/sdk-signature\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">documentation on SDK Signature<\/a> is blunt about it: when an SDK sends data, it is encrypted with Transport Layer Security (TLS), the standard protocol that protects web traffic, but while TLS stops a bad actor from reading your data in transit, it does nothing to stop them from sending fraudulent install or event data to your endpoint in the first place.&nbsp;<\/p>\n\n\n\n<p>Encryption proves the message was not tampered with on the wire. It does not prove the message came from a real instance of your app.<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>The runtime path from earlier makes the gap even clearer. If an attacker alters the data inside the app before the SDK packages it, the SDK encrypts and transmits the altered values through a perfectly valid secure connection, and the network-level protections that were supposed to guarantee authenticity are looking at traffic that is, by their own standards, completely clean.\u00a0<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<p>Protection that only defends the channel is defending the wrong thing. A spoofing defense has to verify that the sender is a genuine instance of the app, and the encryption on that channel is not built to do that.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/biggest-malware-scandals-2025\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-biggest-malware-scandals-2025.jpg\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/02\/adex-biggest-malware-scandals-2025.jpg\" sizes=\"100vw\" alt=\"Adex: the biggest malware scandals in 2025\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"the-biggest-malware-scandals-in-2025-why-the-fraud-looks-legit\"><a href=\"https:\/\/adex.com\/blog\/biggest-malware-scandals-2025\/\">The Biggest Malware Scandals in 2025: Why The Fraud Looks Legit?\u00a0<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"how-measurement-partners-and-platforms-defend-against-it\">How Measurement Partners and Platforms Defend Against It<\/h2>\n\n\n\n<p>Since the problem is authenticity rather than secrecy, the defense has to prove that each signal came from a real, untampered instance of the app.&nbsp;<\/p>\n\n\n\n<p>The mechanism the industry has settled on is cryptographic request signing. Each call the SDK sends is signed using a combination of app-specific secrets, dynamic parameters, and device and session data, which produces a hash that the receiving server can check.&nbsp;<\/p>\n\n\n\n<p>Requests that arrive unsigned or carrying an invalid signature are rejected before they ever count, and on Android, the app&#8217;s signing-certificate fingerprint can be allowlisted, so traffic that does not match it is treated as suspicious. A spoofing server cannot reproduce that signature because it cannot predict or reuse the secret the real app holds.<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/11\/Adex-Barcelona-potential-fraud.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/11\/Adex-Barcelona-potential-fraud.png\" sizes=\"100vw\" alt=\"Adex - Barcelona - potential fraud\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\"><a href=\"https:\/\/adex.com\/blog\/adex-discovers-potential-dns-vulnerability-and-3rd-party-fraud-on-fc-barcelonas-official-website\/\">ADEX Discovers: Potential DNS Vulnerability and 3rd Party Fraud on FC Barcelona\u2019s Official Website<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<p>Purchase events can be checked in a second way, more specific than the signature. A genuine in-app purchase produces a receipt issued by the App Store or Google Play, so the reported purchase can be confirmed against the store before its revenue is counted.&nbsp;<\/p>\n\n\n\n<p>This receipt check validates the transaction with the store in real time and marks each purchase as genuine or not, so a spoofed purchase event with no real transaction behind it does not pass as real revenue. It only covers purchase-type events, but those are the ones tied most directly to payouts.<\/p>\n\n\n\n<p>Signing works best when the SDK itself is hard to take apart, which is the case for a closed-source SDK. An open codebase makes the protocol transparent to everyone, including the attacker reverse engineering it, so the cryptographic logic is right there to study.&nbsp;<\/p>\n\n\n<div class=\"block__preview\">\n        <a href=\"https:\/\/adex.com\/blog\/another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\/\" class=\"block__preview_img\"><img src=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/12\/Adex-carmax-subdomain-takeover.png\" srcset=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/12\/Adex-carmax-subdomain-takeover.png\" sizes=\"100vw\" alt=\"Adex - carmax subdomain takeover\" decoding=\"async\" class=\"lazy\"><\/a>\n    <div class=\"block__preview_box\">\n        <a href=\"https:\/\/adex.com\/blog\/category\/current_risks\/\" class=\"block__preview_box-cat\">Current risks<\/a>        <h3 class=\"block__preview_box-title\" id=\"another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\"><a href=\"https:\/\/adex.com\/blog\/another-case-of-subdomain-takeover-detected-potential-fraud-on-carmax-website\/\">Another Case of Subdomain Takeover Detected: Potential Fraud on Carmax Website<\/a><\/h3>\n    <\/div>\n<\/div>\n<style>\n.block__preview {display: flex;align-items: center;justify-content: center; margin: 32px 0;}\n.block__preview a {text-decoration: none;}\n.block__preview_img {min-width: 360px;max-width: 360px;min-height: 188px;width: 100%;height: 100%;}\n.block__preview_img img {width: 100%;height: 100%;}\n.block__preview_box {margin-left: 40px;max-width: 360px;}\n.block__preview_box-cat {color: #00B8A7 !important;font-weight: 600;font-size: 12px;line-height: 16px;text-transform: uppercase; display: block; margin-bottom: 4px;}\n.block__preview_box-cat:hover {color: #FE645A !important; text-decoration: none !important;}\n.block__preview_box-title {font-size: 20px;font-weight: 700;line-height: 24px;color: #0B172D;}\n.block__preview_box-title a {color: #0B172D !important;}\n.block__preview_box-title a:hover {color: #FE645A !important;}\n@media screen and (max-width: 768px) {.block__preview {flex-direction: column;}.block__preview_box {max-width: 100%; margin-top: 32px;margin-left: 0px;}.block__preview_img {max-width: 100%;min-width: 100%;min-height: 100%;}}<\/style>\n\n\n\n<p>Keeping the SDK&#8217;s internals closed does not make reverse engineering impossible, since any software can be picked apart given enough effort, but it raises the cost and the time required, which is often enough to push an opportunist toward an easier target. Around both of these sit behavioral and anomaly detection at the MMP, which is where the SDK version spikes and other pattern breaks get caught.<\/p>\n\n\n\n<p>The supply side has a role too. Networks and anti-fraud platforms that sit in the path between a traffic source and the advertiser can apply their own validation, flagging suspicious install and event patterns so they are filtered out rather than passed downstream as clean conversions.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>No single layer is a wall on its own. Request signing rejects the forged calls it can prove are forged, anomaly detection catches the patterns signing alone would miss, and advertiser-side review of whether reported value turns into real money closes the part no automated filter can see for you. Each layer covers a different blind spot, which is why defense against spoofing is layered rather than absolute.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"what-advertisers-can-do\">What Advertisers Can Do<\/h2>\n\n\n\n<p>SDK spoofing is convincing because it is built to be, copied from the real protocol and stripped of the one thing it cannot reproduce, an actual person using the app. That absence is also the opening.&nbsp;<\/p>\n\n\n\n<p>The defense that holds is the combination of an MMP that signs and validates every request, a closed-source SDK that makes the protocol expensive to copy, and your own habit of checking whether a source&#8217;s reported value ever becomes real revenue and real retention.&nbsp;<\/p>\n\n\n<div class=\"block__bord\"><div class=\"block__bord_desc\"><p>Treat install and event counts as claims your own data still has to confirm, and route your attribution through a partner that rejects what it cannot verify. For every source that looks too good, one question cuts through the reported numbers: where are the people behind them.<\/p>\n<\/div><\/div>\n<style>\n.block__bord { margin: 32px 0; padding: 1.25em 2.375em;\tborder-radius: 24px; background: rgba(0, 220, 200, 0.20); }\n.block__bord_desc {font-size: 16px !important;font-weight: 400 !important;color: #606060 !important;}\n<\/style>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"faq\">FAQ<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"is-sdk-spoofing-the-same-as-a-bot-or-a-fake-install\">Is SDK spoofing the same as a bot or a fake install? <\/h3>\n\n\n\n<p>It is a more advanced relative. Fake installs are a broad category for any fraudulently generated install, and many of those use real or emulated devices that leave behavioral fingerprints. SDK spoofing skips the device entirely and forges the SDK&#8217;s server communication directly, which is what makes it harder to spot than a typical bot install.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"does-it-affect-ios-or-only-android\">Does it affect iOS or only Android? <\/h3>\n\n\n\n<p>The technique targets the SDK-to-server communication rather than anything platform-specific, so the basic method is not exclusive to one operating system. Some related defenses, such as Android signing-certificate fingerprinting, are platform-specific, but the core risk of forged or replayed signals applies wherever an SDK reports installs and events.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"why-cant-an-encrypted-connection-stop-it\">Why can&#8217;t an encrypted connection stop it? <\/h3>\n\n\n\n<p>Encryption keeps the data private and unaltered while it travels, but it does not verify that the sender is a genuine copy of your app. A fraudster can send fabricated data over a perfectly valid encrypted connection, or alter the data on the device before the SDK encrypts it. Stopping that requires signing each request so the server can reject anything it cannot verify, which encryption alone does not do.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"how-do-i-tell-if-a-source-in-my-own-account-is-spoofed\">How do I tell if a source in my own account is spoofed? <\/h3>\n\n\n\n<p>Look past the install and event counts to see whether the value shows up where it should. Check for installs reported from SDK versions you never shipped or version spikes that do not match your release schedule, and compare reported purchases and subscriptions against the revenue and renewals that actually hit your billing. A source that keeps reporting strong activity which never reconciles to money or retention is the pattern to investigate, and your MMP&#8217;s fraud reporting will usually flag the SDK-version anomalies directly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What if your dashboard is celebrating users who don\u2019t exist? This article explains how SDK spoofing fakes installs and in-app events, why encryption alone isn\u2019t enough, and which signals to check first.<\/p>\n","protected":false},"author":4,"featured_media":5795,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[18,16],"class_list":["post-5780","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","tag-fraud","tag-threat"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SDK Spoofing: How Fake In-App Events Work<\/title>\n<meta name=\"description\" content=\"SDK spoofing fakes installs and in-app events with no real device or user. Learn how to spot it and why request signing matters.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SDK Spoofing: How Fake In-App Events Work\" \/>\n<meta property=\"og:description\" content=\"SDK spoofing fakes installs and in-app events with no real device or user. Learn how to spot it and why request signing matters.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/\" \/>\n<meta property=\"og:site_name\" content=\"ADEX\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/adexsaas\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-23T07:04:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-24T09:30:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-sdk-spoofing.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Kira Vessiari\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:site\" content=\"@adexsaas\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kira Vessiari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/\"},\"author\":{\"name\":\"Kira Vessiari\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\"},\"headline\":\"SDK Spoofing: How Fraudsters Fake In-App Events\",\"datePublished\":\"2026-06-23T07:04:46+00:00\",\"dateModified\":\"2026-06-24T09:30:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/\"},\"wordCount\":2788,\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-sdk-spoofing.png\",\"keywords\":[\"Fraud\",\"Threat\"],\"articleSection\":[\"Guides\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/\",\"name\":\"SDK Spoofing: How Fake In-App Events Work\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-sdk-spoofing.png\",\"datePublished\":\"2026-06-23T07:04:46+00:00\",\"dateModified\":\"2026-06-24T09:30:52+00:00\",\"description\":\"SDK spoofing fakes installs and in-app events with no real device or user. Learn how to spot it and why request signing matters.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#primaryimage\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-sdk-spoofing.png\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/06\\\/adex-sdk-spoofing.png\",\"width\":1200,\"height\":628,\"caption\":\"adex-sdk-spoofing\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/sdk-spoofing-fake-in-app-events\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/adex.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SDK Spoofing: How Fraudsters Fake In-App Events\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\"},\"alternateName\":\"ADEX\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/adex.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#organization\",\"name\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"contentUrl\":\"https:\\\/\\\/adex.com\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/CDD2258_copy-48-1.svg\",\"width\":148,\"height\":30,\"caption\":\"ADEX - Ad Fraud & Invalid Traffic Prevention Platform\"},\"image\":{\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/adexsaas\\\/\",\"https:\\\/\\\/x.com\\\/adexsaas\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/adex.com\\\/blog\\\/#\\\/schema\\\/person\\\/2bf2469195f0e5bffe2e1d5b2ef12b61\",\"name\":\"Kira Vessiari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g\",\"caption\":\"Kira Vessiari\"},\"sameAs\":[\"https:\\\/\\\/adex.com\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/kiravessiari\\\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SDK Spoofing: How Fake In-App Events Work","description":"SDK spoofing fakes installs and in-app events with no real device or user. Learn how to spot it and why request signing matters.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/","og_locale":"en_US","og_type":"article","og_title":"SDK Spoofing: How Fake In-App Events Work","og_description":"SDK spoofing fakes installs and in-app events with no real device or user. Learn how to spot it and why request signing matters.","og_url":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/","og_site_name":"ADEX","article_publisher":"https:\/\/www.facebook.com\/adexsaas\/","article_published_time":"2026-06-23T07:04:46+00:00","article_modified_time":"2026-06-24T09:30:52+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-sdk-spoofing.png","type":"image\/png"}],"author":"Kira Vessiari","twitter_card":"summary_large_image","twitter_creator":"@adexsaas","twitter_site":"@adexsaas","twitter_misc":{"Written by":"Kira Vessiari","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#article","isPartOf":{"@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/"},"author":{"name":"Kira Vessiari","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61"},"headline":"SDK Spoofing: How Fraudsters Fake In-App Events","datePublished":"2026-06-23T07:04:46+00:00","dateModified":"2026-06-24T09:30:52+00:00","mainEntityOfPage":{"@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/"},"wordCount":2788,"publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"image":{"@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-sdk-spoofing.png","keywords":["Fraud","Threat"],"articleSection":["Guides"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/","url":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/","name":"SDK Spoofing: How Fake In-App Events Work","isPartOf":{"@id":"https:\/\/adex.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#primaryimage"},"image":{"@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#primaryimage"},"thumbnailUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-sdk-spoofing.png","datePublished":"2026-06-23T07:04:46+00:00","dateModified":"2026-06-24T09:30:52+00:00","description":"SDK spoofing fakes installs and in-app events with no real device or user. Learn how to spot it and why request signing matters.","breadcrumb":{"@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#primaryimage","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-sdk-spoofing.png","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2026\/06\/adex-sdk-spoofing.png","width":1200,"height":628,"caption":"adex-sdk-spoofing"},{"@type":"BreadcrumbList","@id":"https:\/\/adex.com\/blog\/sdk-spoofing-fake-in-app-events\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/adex.com\/blog\/"},{"@type":"ListItem","position":2,"name":"SDK Spoofing: How Fraudsters Fake In-App Events"}]},{"@type":"WebSite","@id":"https:\/\/adex.com\/blog\/#website","url":"https:\/\/adex.com\/blog\/","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","description":"","publisher":{"@id":"https:\/\/adex.com\/blog\/#organization"},"alternateName":"ADEX","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/adex.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/adex.com\/blog\/#organization","name":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform","url":"https:\/\/adex.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","contentUrl":"https:\/\/adex.com\/blog\/wp-content\/uploads\/2022\/05\/CDD2258_copy-48-1.svg","width":148,"height":30,"caption":"ADEX - Ad Fraud & Invalid Traffic Prevention Platform"},"image":{"@id":"https:\/\/adex.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/adexsaas\/","https:\/\/x.com\/adexsaas"]},{"@type":"Person","@id":"https:\/\/adex.com\/blog\/#\/schema\/person\/2bf2469195f0e5bffe2e1d5b2ef12b61","name":"Kira Vessiari","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cc59bc385c83827a6549fd86c717ef334484d083fba0e770f9b2365acdf272f2?s=96&d=mm&r=g","caption":"Kira Vessiari"},"sameAs":["https:\/\/adex.com","https:\/\/www.linkedin.com\/in\/kiravessiari\/"]}]}},"_links":{"self":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/comments?post=5780"}],"version-history":[{"count":13,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5780\/revisions"}],"predecessor-version":[{"id":5814,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/posts\/5780\/revisions\/5814"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media\/5795"}],"wp:attachment":[{"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/media?parent=5780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/categories?post=5780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adex.com\/blog\/wp-json\/wp\/v2\/tags?post=5780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}