@lammert, I think that if I’m talking about bot traffic, I don’t talk about my problem but about the problem of each website in general. Of course invalid clicks can have different reasons, but in principle it is an automatism that comes from Bots. When it comes to bounce rate I disagree with you that 80% is fine, for any type of website.

but in principle it is an automatism that comes from Bots.

No. that is a bad assumption to make. Click-jacking is an example of an "automated" attack and does not require bots. Moreover, in theory detecting a bot attack is relatively straight forward as the bot's IP would appear very frequently in the raw logs, whereas, click jacking attack would be very difficult to detect as the user could be legitimate users.

When it comes to bounce rate I disagree with you that 80% is fine, for any type of website.

I have a website where some pages are a little less than 80% and others that are close to 0%. The difference is as @lammert's explained, on the 80% page all the information is laid out on a long page that requires no user interaction other than scrolling. The 0% pages is a tool that requires user interaction to get the information. Same users same website different bounce rate. There is no "correct" or "target" bounce rate.

I need a better explanation NickMNS.

You say Click-jacking is an example of an 'automated' attack that doesn't require bots? Aren’t malicious bots themselves multifunctional and multi-purpose malware designed to steal information, or infect a host, or to do Click-jacking or whatever ...?
They can be sent by legitimate users and from that side I understand what you mean. But can you be more detailed what you meant by Click-jacking ‘automated’ under the alleged? They are automatically programmed malware with the exact function of what to do and how much damage they should do.

My point is that by blocking malicious traffic from bots you reduce the chance of being under attack in any segment of their operations.

Aren’t malicious bots themselves multifunctional and multi-purpose malware designed to steal information, or infect a host, or to do Click-jacking or whatever ...?

I suppose you could define bots any way you would like. But that isn't how I would define it. A bot can be as simple as script that makes an http request to get data from a server, and complex as script that take control of the browser to take action and interact with dynamic content. Generally the term bot assumes that the script can run for some period of time with out the need of human intervention. Bots do not "steal information" by definition, but they certainly can be used to do that. Googlebot, Bingbot and Mediapartners bot and many others are example bots that do not steal.If AdSense used there are a host of other bots that regularly crawl the sites, to collect data for advertisers, aggressively blocking bots can thus have a negative impact on AdSense earnings.

Briefly, click-jacking is when ads from your website are shown in an iframe on another site. To users the ads look legitimate so they click them. Ads could be place on torrent sites or others where there is a lot of real human traffic but no means to efficiently monetize. This would be a type of negative "SEO" attack as the attacker would not benefit directly from the ads being clicked, but getting your competitor banded from AdSense would likely be beneficial. I have my doubts, about this as I would assume that AdSense has means of detecting this type of thing. But @friedclyde shared a paper that suggested it was possible.

Note that in such a scenario, I think it would be possible to have clicks on ads without any impression if the host page were able to cache iframe request. So it is plausible, maybe @lammert may want to chime in. All this to say, that this does not involve any bots.

I think the most plausible scenario has to do with Android Webview and it iOS counter part (Safari inApp). Which is "pseudo" browser used to show webpages in native apps. These are used extensively by FB and other SM platform. It allows FB et al. to show your content while ensuring to keep users locked in to their platform. This is very similar to an iFrame. In this scenario there is no guarantee that your page will display as intended, then add to the mix a slow network connection and who knows what the user sees.

Isn't easy solutions for iframe issue and click-jacking in that context to be proactive and set X-Frame to deny of sameorigin:

X-Frame-Options:DENY - Your sign-in screen is not allowed to be used in an embed code. Items must be hyperlinked.
X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself.

I havu just tested http header from my website and SAMEORIGiN is already set by CF self.

I have just add no-sniff and X-XSS protection via htaccess.

So how am I supposed to fix a penalty when there's absolutely nothing wrong with my ads?

I realize this is not workable solution for everyone but I fixed all my Google ad related issues by removing them and concentrating on direct advertisers. With the revenue decline and other issues it wasn't a difficult decision. I know a lot of people make a lot of money on them but I wasn't. Final straw was when they implemented auto ads by default and I found my site overtaken by Google ads including placements that would cause me a penalty if I put them there.

You can always not use autoads. It's not mandatory.