Category: Cyber Security | Published: 2026-04-16
The Device You Trust May Not Be Real
For years, one of the most reliable signals in digital fraud detection has been the device. If an account is accessed from a new device, an unfamiliar location, or a virtual environment that does not behave like a genuine handset, security systems can flag it, challenge the user, or block the transaction entirely.
That model is now under pressure. Fraudsters have found a way to use cloud-based virtual smartphones that behave, in technical terms, like real devices. They present genuine hardware identifiers, realistic software environments, and consistent behavioural patterns that closely resemble legitimate use. As a result, digital fraud controls built around device identity are struggling to keep pace.
What Cloud Phones Are and How Fraudsters Use Them
Cloud phones are remote Android devices hosted in datacentres that can be accessed and controlled over the internet. They are marketed to legitimate users including developers testing apps and businesses managing multiple accounts, but security researchers at Group-IB have documented how they are increasingly being exploited to carry out digital fraud at scale.
What makes cloud phones particularly valuable to fraudsters is that they avoid the tell-tale signs that have historically given away fraud attempts made using cheap emulators. Traditional emulators often exhibit unusual hardware configurations, missing sensor data, or other inconsistencies that experienced security teams know how to identify. Cloud phones do not have these weaknesses. According to Group-IB, they run genuine firmware, exhibit natural sensor behaviour, and present valid hardware attestation. In short, they are designed from the ground up to pass as real smartphones.
Each cloud phone instance can be assigned its own unique device identifier, IP address, geolocation, and system profile. Fraudsters can rent them cheaply, configure them quickly, and use them to create accounts that look and behave like those of genuine customers.
Consistency Is the Key Advantage
What sets cloud phones apart from earlier fraud tools is not just their technical sophistication but their consistency. Digital fraud detection has traditionally looked for sudden changes, a new device accessing an account, a shift in location, or a change in device characteristics, as signals that something suspicious may be happening.
Cloud phones can maintain the same device identity over time, building up a trusted history just as a real smartphone would. Once that trust is established, fraudsters can operate accounts without triggering the alerts that a suspicious change would normally generate. The same virtual device keeps accessing the same account, the signals remain consistent, and the fraud detection system sees nothing unusual.
Group-IB described this as the core strength of the technique, noting that activity from these devices can appear indistinguishable from a legitimate device to existing detection systems.
How This Drives Financial Crime
Group-IB's research traces how this technology has moved from social media manipulation, where it was originally used to inflate follower counts and engagement metrics, into financial crime. The most significant application is the creation and operation of mule accounts used to receive and move stolen funds.
Fraudsters can use a cloud phone to open or verify an account, then continue to access it from the same virtual device, preserving the device history that keeps the account looking legitimate. In some cases, access to both the account and the associated cloud phone instance is packaged together and sold on to other criminals, creating a secondary market in ready-made fraudulent accounts with established trust histories.
This is directly relevant to the scale of digital fraud in the UK. Authorised push payment fraud, where victims are tricked into transferring money directly to a fraudster, reached losses of £485.2 million in 2023, with mule accounts playing a central role in moving those funds. Anything that makes mule accounts easier to create and harder to detect has a direct impact on that figure.
Why Device Fingerprinting Alone Is No Longer Sufficient
The rise of cloud phones does not mean that device-based fraud controls are worthless, but it does mean they are no longer sufficient on their own. Fraudsters have deliberately engineered a tool that targets this specific layer of protection, and the result is a gap that organisations relying primarily on device identity will struggle to close.
Group-IB concluded that effective detection now requires a more layered approach combining device-environment correlation, behavioural modelling, infrastructure-level visibility, and graph-based analytics that can identify suspicious patterns across linked accounts, rather than looking at each device or transaction in isolation.
In practical terms, this means looking at how an account behaves over time, what connections exist between accounts, and whether the broader pattern of activity is consistent with a genuine customer, rather than asking only whether the device appears to be real.
What This Means for UK Businesses
The immediate concern is for banks and financial institutions, but the implications extend to any business that uses mobile devices or apps as part of customer onboarding, identity verification, or payment processing. If your fraud controls rely heavily on device trust, this research suggests those controls need to be reviewed.
The barrier to entry for this kind of digital fraud is also dropping. Because cloud phones can be rented on demand without the cost of physical infrastructure, more fraudsters can access sophisticated tools than was previously possible. That increases the likelihood that organisations beyond the financial sector will encounter these techniques.
For businesses reviewing their digital fraud defences, the key questions are whether verification processes go beyond device identity, whether behavioural and contextual signals are being used alongside device checks, and whether account relationships are being monitored for suspicious patterns at an aggregate level rather than just at the point of a single transaction.
Staying ahead of evolving digital fraud techniques requires more than good tools. It requires an up-to-date understanding of how the threat landscape is changing and a security posture that can adapt accordingly. If you want to review your organisation's cyber security controls in light of developments like this, get in touch with Cloud Smart Solutions or explore our cyber security services.