Threat Actors Customizing Tools for Mobile OS-Based FraudMobile Android OS Device Spoofing Tools Spotted in Russian Cybercriminal Forum
Threat actors are using dedicated mobile Android device spoofing tools to defraud customers of online banking, payment systems, advertising networks and online marketplaces globally.
Researchers at Resecurity observed cybercriminals innovating their tactics by employing tools that impersonate compromised account holders and bypass anti-fraud controls.
Attackers are using these spoofing tools by exploiting stolen cookie files, impersonating hyper-granular device identifiers and using fraud victims' unique network settings.
"While desktop-based antidetect browsers have been used by threat actors since at least 2014 to get around account bans and otherwise manipulate systems, the emergence of adversarial mobile OS-based tools represents a new frontier in cybercriminal innovation," researchers said.
Since the start of this year, researchers have noticed a significant spike in interest from threat actors seeking this type of tool and the emergence of new products on the dark web to satisfy market demand.
The mobile Android OS device spoofing tools were spotted in various underground communities, including a Russian cybercriminal forum on the dark web called XSS. They also found private Telegram groups that give members access to specialized attack kits.
Some of the tools sold on these platforms include antidetect browsers, device fingerprint emulators and spoofers. These tools help threat actors bypass anti-fraud controls based on fingerprints on banking websites, e-commerce portals and other online marketplaces.
Researchers observed a threat actor named Daddy Goose providing a "Swiss Army knife-like" combination of tools and modified components to perpetrate online identity fraud. The tools include a cookie manager, location spoofer, device fingerprint changes and more. Daddy Goose charged $700 for a mobile antidetect browser.
How Antidetect Browsers Work
Antidetect browsers enable threat actors to manipulate "data parameters that anti-fraud solutions scrape from the client side to fingerprint devices and authenticate the customer's identity." These parameters include hardware type, operating system and browser/software-related identities.
The researchers also observed that threat actors are exploiting tools such as GoLogin to spoof fingerprints on desktop and mobile devices for malicious purposes.
The new antidetects on the dark web are capable of spoofing mobile device fingerprints and other software and network parameters typically analyzed by anti-fraud systems. Researchers assessed that these mobile antidetect exploit kits are designed for mobile devices offered by One Plus and Xiaomi Redmi.
"The growing adoption of these tools dovetails with the explosion of mobile malware, with at least 200,000 new malicious variants discovered last year," the researchers said.
They said that antidetects empower fraudsters to circumvent weak fraud controls that attempt to protect users in performing banking or other financial transactions using smartphones.
Other strains, such as TimpDoor and Clientor, allow threat actors to install a proxy server on the device. This enables scammers to use the victim's IP addresses when accessing the victim's online banking accounts.
They also allow scammers to set up a virtual network computing connection with full remote control management of the victim's device.