Device spoofing: a sign of serious mobile app security threats

The increase in global smartphone ownership and the ease with which people can carry out everyday tasks in the palm of their hands is impressive, to say the least. From making financial transactions, making mCommerce payments, and organizing local and international travel, to simple pleasures such as online gaming.

A true success of modern technological capabilities. It’s easy to believe that with such progress in the space of a few decades, the security protocols that run unseen in the background would keep the mobile environment safe and free from cybercriminals, correct?

Yes and no. Although considered safer than desktops, mobile app security threats are a very real prospect that mCommerce merchants and financial institutions need to take seriously. In this blog post, we focus on understanding device spoofing for the simple reason it can provide signs of some very suspicious user behaviors that are indicative of serious criminal activities.

What is device spoofing?

Put simply, device spoofing involves taking steps to make it appear as though a user (in this case, a fraudster) resembles a regular mobile user. They will first attempt to have a user install malware through phishing and/or SMiShing attempts to gain valuable information from the user's online accounts and also unique device information - this is one way of succeeding in account takeover (ATO). The fraudster will then imitate a user’s mobile device in an attempt to bypass fraud detection and fool merchants in what is essentially an attempt to throw them off the scent as they carry out their fraudulent activities.

Device spoofing attempts to alter the user’s digital fingerprints - the aim of the game, as always, is for fraudsters to mask their true identities, intentions, and device setups. There are many digital fingerprints that can be changed (we analyze thousands of pieces of data to uncover spoofing attempts). Some of the most common irregular behaviors include altering the appearance of using a real smartphone or tablet. Device spoofing alone is not enough to mask identity, therefore other digital fingerprints such as GPS location, timezone data, IP addresses etc. also need to be altered. But how is device spoofing performed?

Device spoofing attempts using emulators

As touched upon, steps at altering digital fingerprints can involve some fairly basic steps. An average mobile device user, for instance, may use a VPN (virtual private network), and in itself, this is not deemed suspicious but more as an individual attempting to maintain a level of privacy and security. Things become suspicious when a user deploys a whole batch of spoofing techniques. The individual techniques sound simple enough, but the level of detail is often surprising, and the determination to hide unique identifying details can indicate fraudulent intentions. But let's look specifically at device spoofing and how it is performed.

Emulators are used legitimately by developers to test Android and iOS apps, which need to mimic the mobile environment for which they are building an app. This allows developers to verify apps and features are running properly while working on a desktop computer without having to buy hundreds of mobile devices in order to verify the app works without glitches. This ability to run numerous mobile environments at once caught the attention of fraudsters. Using emulators, they can spoof a device’s make and model ID, but can go into much more sophisticated settings such as changing the graphics card info, CPU processor, IMEI, unique Android and/or Apple ID and change the version of the operating system. And they can emulate hundreds, even thousands of mobile devices at a time, creating mobile emulator farms. A regular mobile user would never need to take such steps unless they had some potential fraudulent intent.

With device spoofing, fraudsters will use unique information from compromised mobile devices (as mentioned previously, obtained using phishing attacks) in order to appear natural. But this alone is not enough, as they will also attempt to mask their true GPS location [applicable to iOS] and IP addresses, especially if they are located in a country or region that is known to be a hotspot for fraud. Spoofing true location will allow fraudsters to bypass any restrictions imposed by merchants or financial institutions that have blocked certain geo locations due to being a risky point of origin for high-value (or high volume) fraud attempts. The same applies to timezone data, which is required to be changed in order to match the location of a genuine user’s account and their device's operating system. For example, a fraudster in Europe who has performed a successful account takeover (ATO) of a user in the United States will need to match their location/timezone settings in order to appear as much like the original account holder as possible.

Why is device spoofing detection so important?

With fraud systems becoming more attuned to the threats posed in the online environment, to successfully attack them directly would require a high level of technical skill, knowledge, and manpower (or bots). This can be very time-consuming and may not succeed. Most fraudsters choose to follow the path of least resistance - aiming to bypass fraud detection systems. One of the best ways to do this is by acting as much as a normal user as possible after a successful ATO or having purchased stolen credit card details from a dark web marketplace. Of course, to prevent suspicion, fraudsters need to hide their identities and digital fingerprints, which is where device spoofing comes in. With the advancement of fraud tools and the ease with which they can be found and purchased in dark web marketplaces, it has become easier than ever to perform spoofing and mask digital fingerprints.

With the use of mobile devices for global m-commerce and financial transactions set to increase, merchants and financial institutions need to take mobile app security threats seriously. Firstly, the sheer volume of transactions that are currently being performed act to mask the few bad apples that are hiding in an ocean of trustworthy users. Fraudsters see this as an opportunity to continue what they are doing with an increased chance of success, especially if individual users are not fully aware of the dangers of online fraud, nor if merchants or institutions use ineffective rules-based fraud management systems that can easily be spoofed.

The very real effects of device spoofing attempt to mask the fact that a genuine user’s e-commerce or digital banking app has been compromised. This means that either ATO, identity theft, or stolen credit card information is what’s truly being covered up by spoofing and not just the identity and location of a fraudster. The negative effects of this can be repeated huge financial losses, especially if a company or institution is known among dark web fraudsters to have ineffective fraud management in place, making them a popular target.

Users of such services tend to trust that mobile app security threats are minimal, but if they become victims, they may tend to blame the company for any financial losses they suffered. Financial losses through theft, loss of customer trust, loss of custom, and loss of revenue. There is a lot to lose if spoofing and general fraudulent activities are not effectively detected and prevented.

How to detect device spoofing attempts to prevent mobile app security threats

If you’ve read this far and are perhaps worried that the level of sophistication of mobile app fraud attacks is on the increase, then you should also feel relieved that the response to the threats exists - it is advanced and effective at preventing fraud. Understanding digital fingerprinting and device spoofing attempts are a key feature of modern fraud detection and prevention.

For example, Mangopay’s advanced solution analyses thousands of digital fingerprints automatically, passively, and in real time. The advanced capabilities are powered by artificial intelligence and machine learning (ML) models that can identify spoofing attempts; the fraud solution goes further by analyzing behavioral biometrics to understand how the user is interacting with their device and the app service. Analyzing digital fingerprints and behaviors together paints an overall picture that can weed out fraudsters with a high level of certainty that their intentions are indicative of fraud.

The good news for e-commerce and m-commerce merchants and mobile banking providers is that all this analysis is performed completely unnoticed by regular users of a service without any negative effects on the customer experience. All the signs for detection and prevention of spoofing are clearly visible, but only artificial intelligence and ML models-powered fraud solutions are fully effective at pointing you in the right direction.

Keep up with fraudsters’ tactics while protecting your good users! Get in touch with us to learn how.