Device Spoofing: a Sign of Serious Mobile App Security Threats

Understanding device spoofing can help detect signs of serious mobile app security threats.

Filip Swatek

Product Manager
Vector

31 March 2022

Group

8 min read

The increase in global smartphone ownership and the ease in which people can carry out everyday tasks in the palm of their hands is impressive to say the least. From making financial transactions, making mCommerce payments, organising local and international travel to simple pleasures such as online gaming. A true success of modern technological capabilities. It’s easy to believe that with such progress in the space of a few decades, the security protocols that run unseen in the background would keep the mobile environment safe and free from cybercriminals, correct? Yes and no. Although considered safer than desktops, mobile app security threats are a very real prospect that mCommerce merchants and financial institutions need to take seriously. In this blog post we focus on understanding device spoofing for the simple reason it can provide signs of some very suspicious user behaviours that are indicative of serious criminal activities.

What is device spoofing?

Put simply, device spoofing involves taking steps to make it appear as though a user (in this case, a fraudster) resembles a regular mobile user. They will first attempt to have a user install malware through phishing and/or SMiShing attempts to gain valuable information from user's online accounts and also unique device information - this is one way of succeeding in accounts takeover (ATO). The fraudster will then imitate a user’s mobile device in an attempt to bypass fraud detection, and fool merchants in what is essentially an attempt to throw them off the scent as they carry out their fraudulent activities.

Device spoofing attempts to alter the user’s digital fingerprints - the aim of the game, as always, is for fraudsters to mask their true identities, intentions and device setups. There are many digital fingerprints that can be changed (we analyse thousands of pieces of data to uncover spoofing attempts). Some of the most common irregular behaviors include altering the appearance of using a real smartphone or tablet. Device spoofing alone is not enough to mask identity, therefore other digital fingerprints such as GPS location, timezone data, IP addresses etc. also need to be altered. But how is device spoofing performed?

Device spoofing attempts using emulators

As touched upon, steps at altering digital fingerprints can involve some fairly basic steps. An average mobile device user, for instance, may use a VPN (virtual private network), and in itself, this is not deemed suspicious, but more as an individual attempting to maintain a level of privacy and security. Where things become suspicious is when a user deploys a whole batch of spoofing techniques. The individual techniques sound simple enough, but the level of detail is often surprising, and the determination to hide unique identifying details can indicate fraudulent intentions. But let's look specifically at device spoofing and how it is performed.

- Emulators - used legitimately by developers to test Android and iOS apps, who need to mimic the mobile environment for which they are building an app. This allows developers to verify apps and features are running properly while working on a desktop computer without having to buy hundreds of mobile devices in order to verify the app works without glitches. This ability to run numerous mobile environments at once caught the attention of fraudsters. Using emulators, they can spoof a device’s make and model ID, but can go into much more sophisticated settings such as changing the graphics card info, CPU processor, IMEI, unique Android and/or Apple ID and change the version of the operating system. And they can emulate hundreds, even thousands of mobile devices at a time, creating mobile emulator farms. A regular mobile user would never need to take such steps unless they had some potential fraudulent intent.

With device spoofing, fraudsters will use unique information from compromised mobile devices (as mentioned previously, obtained using phishing attacks) in order to appear natural. But this alone is not enough, as they will also attempt to mask their true GPS location [applicable to iOS] and IP addresses, especially if they are located in a country or region that is known to be a hotspot for fraud. Spoofing true location will allow fraudsters to bypass any restrictions imposed by merchants or financial institutions that have blocked certain geo locations due to being a risky point of origin for high-value (or high volume) fraud attempts. The same applies to timezone data, required to be changed in order to match the location of a genuine user’s account and their device's operating system. For example, a fraudster in Europe who has performed a successful account takeover (ATO) of a user in the United States will need to match their location/timezone settings in order to appear as much like the original account holder as possible.

Why is detection of device spoofing so important?

With fraud systems becoming more attuned to the threats posed in the online environment, to successfully attack them directly would require a high-level of technical skill, knowledge and manpower (or bots). This can be very time consuming and may not succeed. Most fraudsters choose to follow the path of least resistance - aiming to bypass fraud detection systems. One of the best ways to do this is by acting as much as a normal user as possible after a successful ATO or having purchased stolen credit card details from a dark web marketplace. Of course, to prevent suspicion, fraudsters need to hide their identities and digital fingerprints, which is where device spoofing comes in. With the professionalisation of fraud tools, and the ease with which they can be found and purchased in dark web marketplaces, it has become easier than ever to perform spoofing and mask digital fingerprints.

With the use of mobile devices for global mCommerce and financial transactions set to increase, merchants and financial institutions need to take mobile app security threats seriously. Firstly, the sheer volume of transactions that are currently being performed act to mask the few bad apples that are hiding in an ocean of trustworthy users. Fraudsters see this is an opportunity to continue what they are doing with an increased chance of success, especially if individual users are not fully aware of the dangers of online fraud, nor if merchants or institutions use ineffective rules based fraud management systems that can easily be spoofed.

The very real effects of device spoofing attempts to mask the fact that a genuine user’s mCommerce or digital banking app has been compromised. This means that either ATO, identity theft or stolen credit card information is what’s truly being covered up by spoofing, and not just the identity and location of a fraudster. The negative effects of this can be repeated huge financial losses, especially if a company or institution is known among dark web fraudsters to have ineffective fraud management in place, making them a popular target. Users of such services tend to trust that mobile app security threats are minimal, but if they become a victim, they may tend to blame the company for any financial losses they suffered. Financial losses through theft, loss of customer trust, loss of custom, loss of revenue growth. There is a lot to lose if spoofing and general fraudulent activities are not effectively detected and prevented.

How to detect device spoofing attempts to prevent mobile app security threats

If you’ve read this far and are perhaps worried that the level of sophistication of mobile app fraud attacks is on the increase, then you should also feel relieved that the response to the threats exists - it is advanced and effective at preventing fraud. Understanding digital fingerprinting and device spoofing attempts are a key feature of modern fraud detection and prevention. For example, Nethone’s advanced solution analyses 5,000+ digital fingerprints automatically, passively and in real-time. The advanced capabilities are powered by artificial intelligence and machine learning (ML) models that can identify spoofing attempts; the fraud solution goes further by analysing behavioural biometrics to understand how the user is interacting with their device and the app service. Analysing digital fingerprints and behaviours together paints an overall picture that can weed out fraudsters with a high-level of certainty that their intentions are indicative of fraud. The good news for eCommerce and mCommerce merchants and mobile banking providers is that all this analysis is performed completely unnoticed by regular users of a service, without any negative effects on the customer experience. All the signs for detection and prevention of spoofing are clearly visible, but only artificial intelligence and ML models powered fraud solutions are fully effective at pointing you in the right direction.

Ready to detect fraud just like Azul?

Ready to detect fraud just like Azul?

Start measuring fraud attacks today and find out if there are bots attacking your site. Arrange a call to discuss a tailored solution or explore our platform for free.

Book a call