Trends & Insights
Top 3 Mobile Ad Fraud Tactics in Vietnam’s Fintech Industry (2025) — And How to Prevent Them
2025
.
2
.
13
By
Hoang Ngoc
The financial technology (Fintech) industry in the APAC region is undergoing significant changes, with remarkable growth in key metrics such as app installations, mobile session activity, and revenue from financial applications. In Vietnam, this market is expanding rapidly with the emergence of numerous applications offering payment services, unsecured lending, and personal financial management.
However, the market boom has also led to a rise in increasingly sophisticated ad fraud activities, significantly impacting the Fintech sector. The high rate of install fraud in Fintech applications stems from several factors, including large marketing budgets; a lack of in-depth understanding of key advertising KPIs, especially among traditional banks or investment firms new to digital advertising; and the highest average cost per install (CPI) in the market, creating strong incentives for fraudulent activities.
Another key reason for the high fraud rate is that the Fintech industry is still in the early stages of transitioning from desktop to mobile. Right now, the focus is more on growing the user base rather than optimizing revenue. Additionally, the cost of acquiring a user in the financial sector is typically higher than in other app categories, as users are expected to have higher retention rates and more frequent transactions.
According to recent reports, Vietnam is one of the most heavily affected markets by mobile ad fraud, with an estimated 10-30% of advertising budgets lost each year. This issue not only leads to wasted resources but also negatively impacts business performance and erodes user trust in Fintech applications.
Ad fraud in the Fintech industry is becoming increasingly complex, with tactics like bot fraud, mistargeting, device farms, and attribution fraud leading to budget losses, data distortion, and reduced campaign effectiveness. Airbridge provides powerful solutions, including raw data analysis, fraud validation rules, and rigorous monitoring on the MMP platform. These tools help Fintech businesses quickly detect and prevent fraudulent activities, safeguard their budgets, and optimize advertising performance.
Bots are the most dominant type of fraud impacting the Fintech mobile market, accounting for over 50% of all fraudulent activities. These bots cause significant harm to businesses by launching large-scale attacks within a short period, rapidly distorting data and compromising campaign effectiveness.
Currently, the ad fraud rate in the Fintech sector is around 31.8%, meaning that 1 in every 3 app installs is fraudulent. To help businesses stay protected, let’s explore the most common types of ad fraud in Fintech, how they operate, and how to identify them with Airbridge.
What are Device Farms?
Device farms use intelligent bots along with a large number of outdated, low-cost devices to generate massive amounts of fake touchpoints or conversions. According to statistics, device farms can leverage thousands of devices to simulate post-install events for up to a month after each installation.
How Device Farms Work
Data from Interceptd indicates that this type of fraud accounts for up to 25% of all fraud cases, and this figure is even higher in the Fintech industry, reaching 31%, according to Business of Apps. As a result, Jupiter Research estimates that Device Farms consume a significant portion of Fintech companies' advertising budgets, ranging from 12% to 20%.
“Symptoms” of Device Farms
This type of fraud is typically identified by abnormally low conversion rates and engagement levels, as most users from these financial apps are fake. The key difference from attribution fraud is the extremely poor user quality, with retention rates showing little to no improvement.
More specifically, retention rates tend to drop sharply from Day 1 and nearly reach zero between Day 5 and Day 7, as fake accounts have no motivation to perform natural actions such as logging in or interacting with the app after being created.
The lack of motivation to continue using the app is also reflected in the low in-app conversion rates. By analyzing conversion metrics at each step of the eKYC (electronic Know Your Customer) process, businesses can track the customer journey after installation across different channels, allowing them to identify and eliminate channels that exhibit suspicious in-app event patterns.
For example, after installation, regular users tend to complete the eKYC steps at a consistent rate because they have a real need for the app, giving them the motivation to proceed. This pattern can be observed in channels such as “cauly,” “naver,” and “tradingworks” below.
However, for installs generated by Device Farms, since they are primarily created to register installs, the devices have no motivation to perform further actions within the app, similar to the installs from the “Discord” channel shown below.
Additionally, device farms often rely on outdated, low-cost devices with older OS versions. In the example below, the operating systems are noticeably outdated, commonly found in older, budget devices that no longer support upgrades to the latest iOS 18.
What is Attribution Fraud?
Attribution fraud is often identified through the phenomenon of "organic cannibalization." If the number of non-attributed installs (= organic installs) decreases while attributed installs (= paid installs) increase, despite the ad budget remaining stable, it suggests that organic installs are being hijacked and incorrectly recorded as paid installs.
“Symptoms” of Attribution Fraud
Organic Cannibalization often occurs when the Click-to-Install Time (CTIT) is too short or when there is an unusual ratio between clicks and installs, such as a high number of clicks but few actual installs. This type of fraud is carried out through click injection or click spamming, both of which are forms of attribution fraud.
Click injection occurs when a fraudulent intermediary detects the moment an app is being downloaded and inserts a fake touchpoint or interaction just before the MMP records the completed installation. This allows the fraudster to claim credit for the install as the winning touchpoint.
This type of fraud is specific to Android devices, exploiting the operating system's broadcast system. When a new app is installed on an Android device, a signal is sent to other apps. This system was originally designed to enhance connectivity between Fintech-related apps on a user's device, such as supporting deep linking or streamlining the login process.
Click Spamming, also known as click flooding, is a form of ad fraud where fraudsters generate fake clicks and insert them into the journey of real users without their knowledge or consent. This can be carried out through background-running apps, such as memory cleaners or battery-saving tools, which trigger clicks at any time. As a result, data becomes distorted, reducing its reliability and leading to wasted ad spend on ineffective campaigns.
What is SDK Spoofing?
This type of fraud occurs when fraudsters hack an MMP's SDK (including login credentials, data packets, etc.) to send fake signals. As a result, they generate fraudulent installs that appear legitimate by using real device data. This technique is also known as a man-in-the-middle attack.
Specifically, fraudsters break SSL encryption between the tracking SDK and its backend servers to generate a series of test installs for the target app. Once they identify the URLs corresponding to specific in-app events, they manipulate the dynamic parts of the URL to create fake installs.
Once enough information is gathered, fraudsters can repeatedly execute this process indefinitely, resulting in significant financial losses for advertisers.
“Symptoms” of SDK Spoofing
SDK Spoofing is most noticeable when multiple transaction IDs or user IDs appear in the MMP data but do not exist in the internal systems (CRM, ERP). In the example below, user ID user_161110 and transaction ID tx_97776154 may be fraudulent, as they are recorded only in the MMP but do not appear in the original CRM data.
Moreover, abnormally low conversion rates and unrealistically short time intervals between events—such as app installation, app opening, and the first user action—are strong indicators of SDK Spoofing, as they deviate from real user behavior.
Some impacts of this fraud on businesses:
Identifying these types of fraud is a major challenge for businesses, often requiring significant time, effort, and financial resources to detect and eliminate fraudulent installs. With Airbridge’s Abnormal Install Report, powered by AI, businesses can automatically monitor suspicious install volumes across different fraud categories. This makes fraud detection easier, faster, and more cost-effective than ever.
Beyond fraud detection, Airbridge actively supports Fintech partners in combating ad fraud by working closely with their Customer Success teams to implement Fraud Validation Rules tailored to their campaign needs.
More specifically, attribution fraud methods like Click Injection and Click Spamming can be effectively eliminated using the Lag Time and Frequency Capping features. With Lag Time, businesses can configure settings to reject postbacks for installs where the Click-to-Install Time (CTIT) is under 10 seconds, as it is unrealistic for a user to click, download, install, and open an app within such a short time frame.
With Frequency Capping, businesses can prevent fraudulent IP addresses or channels that generate an unusually high number of clicks within a customized time frame, as real users are unlikely to perform multiple clicks in such a short period.
Additionally, to detect SDK Spoofing, Airbridge provides a Raw Data Report, which not only offers comprehensive measurement metrics to help businesses gain a better overview of their campaigns but also allows them to compare user_id or transaction_id to ensure that MMP data matches internal systems like CRM and ERP. The SDK Signature feature then helps quickly and effectively eliminate fraudulent MMP cases.
For issues related to Device Farms, Fintech advertisers should review sub-publishers and ad placements with abnormally low retention, conversion, and engagement rates. Additionally, they should check for outdated devices or small clusters of repeated IP addresses. All these factors are covered under the Conversion Traffic and Retention features, which help identify suspicious conversions based on multiple criteria such as IP, country, and operating system. As a result, Fintech businesses can avoid paying for fraudulent installs originating from duplicate IPs, non-target countries, or installs with unusually low retention rates.
