- Group-IB warns criminals using virtual Android “cloud phones” for app scams
- Devices imitate real fingerprints, bypassing banking security and enabling fraud
- Darknet marketplaces sell pre-warmed accounts; Anomalies in applications, IP, and behavior can help detect them.
Criminals have begun using virtual Android devices to bypass modern security solutions and successfully execute Authorized Push Payment (APP) scams, experts have warned.
A new report from security researchers Group-IB describes the new method as a “sophisticated threat that is quietly reshaping the digital fraud economy.”
Virtual Android devices are the latest evolution of digital and banking scams, and to understand them better, we need to take a few steps back.
Article continues below.
Fighting back with fingerprints
A few years ago, social networks became a key pillar in the marketing efforts of all companies. Several organizations emerged offering “phone farms”: facilities with thousands of devices that could be rented and used to inflate followers, likes, shares, and other vanity metrics that used to determine an organization’s success.
Although this type of business operated in the “gray zone” (fake, but not overtly criminal), what followed was even more sinister: cybercriminals used these farms to trick people into sharing access to bank accounts and crypto wallets, and then emptied them completely.
The cybersecurity community has stepped back from password-based authentication to more advanced protection mechanisms. Banks, for example, began creating their own mobile applications that required device fingerprinting: information about the mobile phone such as device model, brand, hardware details, IP address, time zone, sensor data, and various behavioral signals.
This method proved to be more reliable and comprehensive, and established itself as a critical element in the fight against fake devices that take over people’s accounts. Banks, for example, could link an account to a device and detect fraud simply by checking if a device with a different operating system suddenly tries to make a payment.
Which brings us to today.
Virtual Android devices, or “cloud phones,” can be configured to mimic all fingerprints of devices using current security systems. Not only IP addresses, but also hardware, device models, different sensors and more. To make matters even worse, criminals are “warming up” these phones: they record people’s banking credentials and make some small transactions to let the banks’ guard down.
Modern problems require modern solutions
Group-IB says this sub-industry is already taking off: “Darknet marketplaces now include pre-warmed dropper accounts with clean device telemetry for Revolut and Wise priced at $50 to $200 each for a high-fraud utility,” the report reads. “As for Central Asia, on platforms like Telegram there are entire channels and groups where people can buy bank cards in any bank in Uzbekistan.”
The cat and mouse game between scammers and the security community continues, and now the ball is in the defenders’ court. The researchers said that a simple way to detect a cloud device is to look for other installed applications:
“Our team has also determined that, by default, many normal apps are absent on cloud devices, sometimes even those that are usually pre-installed on real devices. Scammers using cloud phones first install certain anonymization tools like VPN or proxy apps or a single cloud device may have a suspiciously high number of banking or financial apps.”
There are also certain “anomalies” in behavioral patterns that can be used to identify cloud phones: a subtle discrepancy in the device’s IP address, time zone, and location, a phone whose battery is always at 100%, or a device that shows no motion during active sessions.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
