Group-IB has released a new report exposing a sophisticated evolution in digital fraud: the rise of Cloud Phones. The report traces the evolution of these remote-access Android devices from simple social media bots to a primary tool for creating untraceable “dropper” accounts for scams. These are false accounts created by fraudsters based on stolen credentials, specifically targeted to receive and transfer stolen funds. Once used primarily for harmless social media “likes,” this technology has now been weaponised into an industrial-scale financial threat that bypasses traditional bank security systems.
The “Invisible” upgrade to modern fraud
For years, banks have successfully blocked “emulators” – software that tries to mimic a phone on a computer. However, criminals have pivoted to Cloud Phones. These are physical mobile phone motherboards stored in data centres and rented out for as little as $0.10 per hour.
Because these devices use genuine hardware, real serial numbers, and legitimate Android software, they appear “invisible”, bypassing traditional fraud detection. To a bank’s security system, a hacker in a different country using a cloud phone looks exactly like a legitimate customer using a standard smartphone.
The research highlights several key discoveries:
- Industrial scale: Cloud phone farms, vast networks of physical mobile devices housed in data centres, are facilitating the mass creation of dropper accounts, which are the critical final link in many Authorised Push Payment (APP) scams.
- Invisibility: By preserving consistent device telemetry, these accounts do not trigger the device-change detection mechanisms that banks rely on to flag account takeovers.
- Accessibility: It’s no longer just for experts. Platforms like Redfinger, GeeLark, and LDCloud have democratised fraud, making sophisticated infrastructure available with minimal investment.
A new business model for crime
Fraudsters are now selling these cloud phones pre-loaded with fully verified banking and virtual wallet accounts on darknet markets for as little as $50, creating a turnkey solution for money laundering.
A buyer gets access to a pre-verified bank account that is already logged into a specific Cloud Phone. Because the account and the phone are sold together, the bank never sees a “new device” login.
This highlights a dangerous shift in the “money mule” economy. APP fraud continues to lead industry losses. According to the UK Finance Annual Fraud Report 2023, APP fraud losses reached £485.2 million in 2023, with the dropper account fraud identified as the single most contributing incident of all. The problem continues to grow and spread in other regions.
The new rules of detection
For financial institutions, fraud detection must move beyond static device authenticity checks to multi-layered intelligence. These include:
- Device-environment correlation: Identifying anomalies such as a device’s battery level always being at 100% or showing no motion during use.
- Behavioural & App analysis: Flagging devices with an unusually high number of financial apps, the presence of anonymisation tools like VPNs, or a suspicious lack of standard, pre-installed applications.
- Graph-based analytics: Moving beyond single-device evaluation to identify clusters of accounts linked by shared infrastructure patterns.
Financial institutions are urged to adopt multi-layer intelligence platforms that combine device fingerprinting with network intelligence and behavioural modeling. Group-IB’s Fraud Protection platform has already begun deploying new detection rules to identify these remote environments, resulting in a drastic decrease in fraudulent logins for early adopters.
Staying safe: Recommendations for end-users
- Never complete account verification processes under third-party instruction. Keep in mind that banks and government institutions will not ask customers to authenticate accounts through unfamiliar apps or remote environments.
- Enable device-based security features. Use official mobile banking apps, biometric authentication, and strong device-level security settings.
- Be cautious of “easy income” schemes involving bank accounts, such as fake job offers requiring you to “verify” bank accounts, government officials requesting account verification, or bank representatives asking you to move money to “safe” accounts.
- If you suspect that you have been targeted, contact your bank immediately. Update passwords and enable multi-factor authentication on all accounts.
Discussion about this post