'A sophisticated threat that is quietly reshaping the economics of digital fraud': How hackers are employing virtual cloud phones to power major scams

News
By published

Cloud phones the latest tool to trick banking app users

Android reboot interface
(Image credit: Shutterstock / tomeqs)
  • Group-IB warns criminals using virtual Android “cloud phones” for APP scams
  • Devices mimic real fingerprints, bypassing bank security and enabling fraud
  • Darknet markets sell pre-warmed accounts; anomalies in apps, IP, and behavior can help detect them

Criminals have started using virtual Android devices to bypass modern security solutions and successfully run Authorized Push Payment (APP) scams, experts have warned.

A new report from security researchers Group-IB has described the new method as a “sophisticated threat that is quietly reshaping the economics of digital fraud.”

Virtual Android devices are the latest evolution of digital and banking scams and, in order to best understand them, we need to take a few steps back.

Article continues below

Fighting back with fingerprinting

A few years ago, social media became a key pillar in every business’ marketing efforts. Various organizations emerged offering “phone farms” - facilities with thousands of devices that can be rented, and used to inflate follower counts, likes, shares, and other vanity metrics that used to determine the success of an organization.

Even though this type of business operated in the “grey zone” (disingenuous, but not outright criminal), what followed was even more sinister - cybercriminals using these farms to trick people into sharing access to banking accounts and crypto wallets - and then emptying them entirely.

The cybersecurity community pushed back, moving from password-based authentication into more advanced protection mechanisms. Banks, for example, started building their own mobile apps which required device fingerprinting - information about the mobile phone such as device model, brand, hardware details, IP address, time zone, sensor data, and various behavioral signals.

This method proved to be more reliable and comprehensive, and established itself as a critical element in fighting fake devices taking over people’s accounts. Banks, for example, could tie an account to a device and spot fraud simply by checking if a device with a different operating system suddenly tried to make a payment.

Which brings us to today.

Virtual Android devices, or “cloud phones” can be set up in a way that mimics all of the device fingerprints today’s security systems use. Not just IP addresses, but also hardware, device models, different sensors, and more. To make matters even worse, criminals are “pre-warming” these phones - they are registering people’s banking credentials and making a few small transactions to lower the banks’ guard.

Modern problems require modern solutions

Android

Cloud phones' battery is always at 100% (Image credit: Future)

Group-IB says this sub-industry is already taking off: “Darknet markets now list pre-warmed dropper accounts with clean device telemetry for Revolut and Wise priced at $50–200 each for high-fraud utility,” the report reads. “Concerning Central Asia, there are whole channels and groups on platforms like Telegram where people can buy bank cards from any bank in Uzbekistan.”

The cat-and-mouse game between fraudsters and the security community continues, and the ball is now in the defenders’ court. The researchers said that a simple way to spot a cloud device is to check for other installed applications:

“Our team has also determined that by default, many normal applications are absent in cloud devices, sometimes, even those that are usually pre-installed in real devices. Fraudsters using cloud phones first install certain anonymization tools such as VPNs, or proxy applications or a single cloud device can have suspiciously high numbers of banking or financial applications.”

There are also certain “anomalies” in behavioral patterns that can be used to identify cloud phones - a subtle mismatch in device IP address, time zone, and location, a phone whose battery is always at 100%, or a device that doesn’t show movement during active sessions.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.