Scammers Using Virtual Smartphones To Slip Past Fraud Checks

Fraudsters are increasingly using rentable “cloud phones” that look and behave like real smartphones, creating a new problem for banks, fintechs and businesses that have come to trust the device in a customer’s hand.

Now Using Cloud Phones

According to a recent report by security firm Group-IB, a growing number of scammers are no longer relying on crude emulators or racks of physical handsets to run fraud at scale. Instead, they are turning to cloud phones, effectively remote Android devices running in datacentres, which can be rented cheaply and accessed over the internet.

These services are marketed as legitimate tools for developers, marketers or businesses managing multiple accounts but, in practice, it seems they are also now being widely abused. As the report explains, “what began as a simple scheme to inflate social media metrics has evolved into a sophisticated threat that is quietly reshaping the economics of digital fraud.”

This matters because many fraud controls were built around the idea that fake devices tend to look fake. For example, emulators often leak obvious signs, such as unusual hardware configurations, missing sensor data or other artefacts that security teams know how to spot.

Cloud phones, however, don’t give off these more obvious signals. As Group-IB says, they are “for all intents and purposes… real phones, running genuine firmware, exhibiting natural sensor behavior, and presenting valid hardware attestation.” In other words, they are designed to look authentic at the technical level.

Why They Are So Hard To Detect

Fraud detection systems have traditionally relied on identifying unusual devices, spotting changes in device identity, or flagging suspicious technical signals, all of which have proven effective against earlier generations of emulators and virtual environments.

Cloud phones, however, are designed to avoid exactly those signals by maintaining consistent device characteristics over time while presenting realistic hardware identifiers, software environments and behavioural patterns that closely resemble those of genuine smartphones.

The report highlights that “what makes this threat unlike any other is its invisibility,” noting that activity from these devices can “appear indistinguishable from a legitimate device” to existing detection systems.

Each cloud phone instance can have its own device ID, IP address, geolocation and system profile. Unlike traditional emulators, which often expose tell-tale inconsistencies, these environments are engineered to behave like genuine smartphones over time.

It’s this consistency that’s critical because it allows a device to build up a trusted history, which can then be exploited for fraud without triggering alerts designed to detect sudden changes.

How The Fraud Works In Practice

Group-IB’s report traces how this technology has moved from social media manipulation into financial crime. One of the most significant use cases is the creation and operation of so-called ‘dropper’ or ‘mule accounts’, which are accounts used to receive and move stolen funds.

For example, it seems that fraudsters can open or verify accounts using a cloud phone, then continue to access those accounts from the same virtual device. In some cases, access to both the account and the associated cloud phone instance can be sold on to other criminals.

As Group-IB explains, this creates a powerful advantage for the fraudsters because the same device signals are preserved throughout, meaning “the same device accessing the account that has always accessed it” appears to be in use (once again, it’s the consistency that works).

From a fraud detection perspective, that removes one of the key triggers for additional checks, i.e., there’s no obvious device change, no sudden shift in behaviour, and no immediate reason to challenge the transaction.

The Scale Of The Problem

This development comes at a time when authorised push payment fraud (where victims are tricked into sending money directly to a scammer, often through social engineering) is already a major issue. For example, in the UK alone, losses reached £485.2 million in 2023, with mule accounts playing a central role in moving stolen funds.

Cloud phones make these accounts easier to create, operate and scale. Group-IB says they have enabled “industrial-scale financial fraud” by lowering the cost and complexity of maintaining large numbers of apparently legitimate devices.

It seems that using cloud phones also gives fraudsters an extra economic advantage. Instead of investing in physical phone farms, fraudsters can now rent infrastructure on demand, making it accessible to a wider range of actors with relatively low upfront cost.

Why This Challenges Existing Security Models

For years, device fingerprinting has been a reliable layer in fraud prevention. If an account is accessed from a new or suspicious device, that can trigger step-up authentication or block the transaction.

Cloud phones weaken that model because the device itself is no longer a strong signal of trust if it can be rented, replicated and transferred between users while maintaining a consistent identity.

This doesn’t mean existing controls are obsolete, but it does mean they are no longer sufficient on their own. Group-IB’s report argues that detection must, therefore, move beyond simple device checks and towards a more layered approach.

Group-IB concludes that fraud prevention needs “device-environment correlation, infrastructure-level visibility, behavioral modeling, and graph-based analytics” to identify patterns that individual device checks may miss.

What Does This Mean For Your Business?

For financial institutions, the message from this report is clear. A device that looks genuine can no longer be treated as strong evidence that the activity behind it is genuine too. Fraud detection will really need to focus more on behaviour, context and relationships between accounts rather than relying heavily on device identity alone.

For other businesses, particularly those using mobile apps for onboarding, payments or identity verification, this is a warning that mobile trust models are becoming more complex. Controls that once worked well may now need to be reassessed.

There is also a broader operational implication. As fraud infrastructure becomes easier to rent and scale, the barrier to entry for sophisticated attacks is lowering. That increases the likelihood that smaller organisations, not just major banks, will encounter more advanced fraud techniques.

This represents a clear change in how fraud is delivered, as the fraudster no longer needs to manage large numbers of physical devices and can instead access a virtual environment that behaves like a real smartphone and is designed to pass as one.

Taken together, this research seems to suggest that the balance of trust is changing, with the device in the user’s hand, or at least the one it appears to be, no longer something businesses can rely on without question.