Bypassing anti-fraud controls on PCs and laptops has evolved rapidly over the last two decades, but it is now the turn of smartphone users. Cybersecurity firm Resecurity reported a rise in threat actors’ use of specialized mobile Android OS device spoofing tools.
“These tools enable fraudsters to impersonate compromised account holders and bypass anti-fraud controls effectively. The emergence of adversarial mobile OS-based tools represents a new frontier in cybercriminal innovation,” says Resecurity in a report published earlier this year: Cybercriminals Evolve Antidetect Tooling For Mobile OS-Based Fraud.
The attackers’ initial focus is on Android-powered smartphones because of their dominant market share, although the turn of the iPhone is likely to follow soon. According to Statista, the Android operating system (OS) accounts for 70 percent of the smartphone market.
Resecurity reported a significant spike in interest in the new tool during Q1 of 2023 from threat actors, with the emergence of new products on the Dark Web to satisfy growing market demand. The report’s researchers mined intelligence about these tools from various underground communities, including XSS (the top Russian cybercriminal forum on the Dark Web) and several private Telegram groups which offer vetted members access to specialized attack kits frequently used for online banking theft and fraud. These include antidetect browsers, device fingerprint emulators, and spoofers.
The devices themselves are surprisingly vulnerable in terms of cybersecurity. Smartphones have a unique combination of hardware type, operating system (OS) version, software version, geolocation, screen size, language, etc., constituting its fingerprint. Threat actors use these attack kits to bypass anti-fraud controls based on such fingerprints on banking websites, e-commerce portals, and other online marketplaces for as little as $700. Key features include antidetects such as Device ID changer, Android Faker, Cookie Import, and GPS Spoofing.
According to Resecurity, a group called Daddy Goose provides “a Swiss Army knife-like combination of tools and modified components to perpetrate online identity fraud,” with several similar offerings from other cybercriminal developers. Resecurity says that fraudsters can then combine these with other tools (including mobile malware, customized WEB-injects, residential IP proxies, etc.) to attack mobile banking and payment services.
The damage that will be done to the reputation of mobile payment services is potentially huge. Banks which offer customers smartphone banking and any service which is paid for online via a smartphone are now vulnerable to a wide range of attacks. But ordinary users are not the only potential victims. Just as threat actors exploiting vulnerabilities in desktop systems use entry points to gain control of the organization’s, they will also start to use smartphones to inject ransomware into the IT systems of online financial institutions and retailers.
