A new report reveals cybercriminals are increasingly targeting mobile channels to commit fraud using a variety of device modifications to avoid detection. The researchers found increased use of jailbroken or rooted devices to automate malicious activities such as registration of multiple accounts for spamming, or use of emulators to run multiple accounts on the same device.
90% of mobile fraud originated from Android devices, mostly running older operating system versions of over six years old. The use of old ecommerce apps on iOS jailbroken devices was also a common method for targeting ecommerce sites. The researchers made their findings after processing over 76 billion mobile events from 1.3 million users, using over 2.1 million device types.
Online traffic and fraud sources
The report found that mobile apps accounted for 75% of the traffic, while mobile web and desktop web accounted for 12% and 13%, respectively. However, mobile web had more fraud rates (26%) compared to mobile app traffic that accounted for only 1% of fraud. Desktop web traffic remained the largest source of online fraud rate of 34%.
90% of mobile fraud originates from Android devices
The report by DataVisor revealed that 90% of mobile fraud originates from Android mobile phones. The reason is that Android is an open-source platform, and malicious actors have low-level access to the system. Consequently, they can add new system features as well as make system changes that other closed systems do not allow.
Additionally, the Android platform has more apps, many of which promise to provide automation and productivity for Android users. Such apps request elevated permissions, making them good candidates for committing mobile fraud.
Similarly, many OS versions available for Android due to lack of a centralized update management system allows fraudsters to target devices running an older version of Android. Older smartphones are more vulnerable because they lack security fixes and security controls available in newer devices.
Jailbroken and rooted smartphones are 22 times more active than intact devices
DataVisor report showed that jailbroken iOS and rooted Android devices generated more activity compared to non-jailbroken phones. The researchers suggested that criminals involved in mobile fraud were actively using jailbroken mobile phones to automate fraudulent activities.
According to the researchers, only 0.16% of Android devices were rooted, while 0.14% of iOS devices were jailbroken. However, the small percent of unlocked devices had higher traffic rates compared to intact devices.
Fraudsters preferred jailbroken devices because they allow them to create multiple unique accounts on the devices using third-party emulators. Using this method, the attackers could carry out several attacks using the same device.
Social media attacks using emulators and user-agent spoofing
DataVisor report found that most social media attacks were coordinated and used emulators and spoofed user-agents. One method involves the creation of multiple social media accounts on the same device to send spam messages.
The researchers found such accounts shared the same IP subnet and used the same template for spam messages. The attackers used different domains, for example, gmail.com, mail.ru, and hotmail.com, to avoid triggering suspicion if many email accounts were created on the same domain from the same device.
However, the accounts had a different user-agent string collected, indicating they were either run from different emulators or used spoofing to randomize user-agent strings. The user accounts associated with the attack ran from random OS versions, mostly very old Android version more than six years old.
Ecommerce attacks using jailbroken iOS devices and old shopping apps
Ecommerce mobile fraud activities targeted online stores with limited time promotions and high traffic. These sites received legitimate traffic mixed with automated bots and scripts. The sites received up to 3,000 fake users who registered using VPNs with Chinese IP addresses, while purchases made to these sites shipped to fake locations.
Addresses used in these fraudulent purchases followed a similar pattern, such as a [random house number] + [common road name] + [directions (North, South, East, West)] + [Large city or state]. Most of the criminals committed mobile fraud activities using iOS devices using very old ecommerce apps. Such attacks used jailbroken iOS devices customized to carry out large-scale attacks.
Fraudsters switched device identifiers to avoid raising suspicions about many accounts running on the same device. Device flashing mobile fraud targeted popular gaming apps. Fraudsters acted as brokers helping gamers buy virtual items using stolen personal information, credit cards, and virtual currency.
Criminals switched user accounts to complete purchases without generating any gameplay activity. They also switched device identifiers such that each device was associated with a small number of users.
Device modification rooting and flashing can be used to commit mobile ad fraud where publishers earn money by creating multiple accounts to click on their own ads. Similarly, these types of fraud could be used to falsify mobile marketing results.
The same could be used to boost app install on the play store to popularize fraudulent apps. Criminals also have an opportunity to run several bank accounts on the same device using stolen personal information.
To combat fraud, the available fraud protection solutions should rely on tracking user behavior in real time, phone numbers verification, in addition to device identifiers which could be easily spoofed.