Cloud phones are giving fraudsters a way to slip past one of banking’s most trusted defenses: the device itself.
Researchers at the Group-IB says rented, remote-access Android devices running in data centers are being used to create and sell fraudulent dropper accounts that can preserve the same device fingerprint, telemetry and access environment even after control changes hands.
What makes the technique so troubling is how ordinary it can look. In a report released this week, Group-IB traces the shift from social media automation and emulator abuse to industrial-scale financial fraud built on cloud phone services that can cost as little as pennies an hour.
Unlike traditional emulators, these systems can present realistic hardware configurations, plausible system properties and valid identifiers, weakening the device-binding checks banks have long used to spot account takeovers and mule-account activity.
From Physical Farms to Spectral SaaS
The evolution of this phantom menace traces back to the less glamorous business of inflating social media metrics. At first, bad actors relied on physical phone farms made up of real devices connected through USB hubs to automate views, likes and account activity. From there, the market moved toward rented infrastructure. Why own the hardware when you can lease it on demand?
Today, cloud phone platforms offer that capability at low cost and at scale, turning what used to be a clunky fraud operation into something closer to a service model. Unlike older emulators, which often exposed themselves through odd hardware profiles, missing sensor data or other technical tells, cloud phones are much harder to distinguish from legitimate devices.
Group-IB notes that, for all practical purposes, these are real phones running genuine firmware, with natural sensor behavior and valid hardware attestation. They can also present consistent hardware identifiers, plausible sensor data, stable operating system versions and valid app integrity signals. That makes them much better suited to slipping past defenses built to catch static anomalies.
A Ghost with a Genuine Fingerprint
The real danger comes when that realism is paired with financial fraud.
The threat deepens when criminals open fraudulent “dropper” accounts on a cloud phone using stolen or synthetic identities. In some cases, victims are tricked into handing over banking credentials to fraudsters posing as bank employees or government officials so the criminals can complete the verification process on the cloud phone.
Once a bank verifies the account and binds it to that hardware footprint, the criminal can sell access to the entire cloud phone environment on the darknet. Group-IB says darknet markets now list pre-warmed dropper accounts with clean device telemetry for digital banking services such as Revolut and Wise for $50 to $200 each.
When a new actor takes over the purchased instance, the bank may see no change. “To the bank’s fraud detection system, it will appear to be the same device accessing the account that has always accessed it — same hardware fingerprint, same telemetry, same behavioral patterns,” the report says. That can mean no alert and no secondary verification.
Darknet Dealers and Digital Possession
That is what makes cloud phones more than just the next fraud tool. They undermine a control the financial industry has increasingly come to trust.
The financial damage is already substantial. Operating below the threshold of traditional detection, cloud phones helped drive a significant share of the 485.2 million pounds lost to authorized push payment, or APP, fraud in the United Kingdom in 2023. As Group-IB puts it, “Cloud phones solve the fraudster’s fundamental problem: how to conduct fraud at scale while presenting authentic device signals that defeat most modern detection systems.”
That is why conventional security tools built to catch static anomalies are struggling. The suspicious patterns often surface only in higher-level telemetry, the report says, including behavioral timing, network-locality mismatches, account-graph correlations and telecom signals.
The days of trusting a mobile transaction simply because it comes from a familiar device are over. Banks will need to look beyond hardware IDs and focus on behavior across sessions, networks and linked accounts if they want to catch fraudsters using cloud phones.
How to Defend Against Cloud Phones
- Implement multilayer device intelligence: Move beyond static hardware identifiers by combining device fingerprinting with network intelligence and cross-session behavioral modeling.
- Use graph-based risk modeling: Evaluate accounts as part of a wider cluster, not as isolated events, to spot shared infrastructure-level signals.
- Watch the app environment: Unusual setups can be revealing, including low app diversity, high concentrations of financial apps or anonymization tools such as VPNs and proxies.
- Keep detection logic current: Cloud infrastructure changes quickly. Fraud controls must evolve just as fast to keep up with new VMI and cloud phone services.
(Lisa Vaas is a seasoned freelance journalist and content marketing professional with over 25 years of experience writing about technology, cybersecurity, careers, science, and health. She can be reached at LisaVaas@lisavaas.com,lisavaas@securitypointbreak.com, or via LinkedIn.)
