Fraudsters are increasingly using rentable “cloud phones” that look and behave like real smartphones, creating a new problem for banks, fintechs and businesses that have come to trust the device in a customer’s hand.
The Rise of Cloud Phones in Cyber Crime
According to a recent report by security firm Group-IB, a growing number of scammers are no longer relying on crude emulators or racks of physical handsets to run fraud at scale. Instead, they are turning to cloud phones, effectively remote Android devices running in datacentres, which can be rented cheaply and accessed over the internet.
These services are marketed as legitimate tools for developers, marketers or businesses managing multiple accounts but, in practice, it seems they are also now being widely abused. As the report explains, “what began as a simple scheme to inflate social media metrics has evolved into a sophisticated threat that is quietly reshaping the economics of digital fraud”.
This matters because many fraud controls were built around the idea that fake devices tend to look fake. For example, emulators often leak obvious signs, such as unusual hardware configurations, missing sensor data or other artefacts that security teams know how to spot.
Cloud phones, however, don’t give off these more obvious signals. As Group-IB says, they are “for all intents and purposes… real phones, running genuine firmware, exhibiting natural sensor behavior, and presenting valid hardware attestation”. In other words, they are designed to look authentic at the technical level.
Why Virtual Smartphone Fraud is Hard to Detect
Fraud detection systems have traditionally relied on identifying unusual devices, spotting changes in device identity, or flagging suspicious technical signals, all of which have proven effective against earlier generations of emulators and virtual environments.
Cloud phones, however, are designed to avoid exactly those signals by maintaining consistent device characteristics over time while presenting realistic hardware identifiers, software environments and behavioural patterns that closely resemble those of genuine smartphones.
The report highlights that “what makes this threat unlike any other is its invisibility,” noting that activity from these devices can “appear indistinguishable from a legitimate device” to existing detection systems. Each cloud phone instance can have its own device ID, IP address, geolocation and system profile. Unlike traditional emulators, which often expose tell-tale inconsistencies, these environments are engineered to behave like genuine smartphones over time.
It’s this consistency that’s critical because it allows a device to build up a trusted history, which can then be exploited for fraud without triggering alerts designed to detect sudden changes.
How Scammers Exploit Cloud Phones in Practice
Group-IB’s report traces how this technology has moved from social media manipulation into financial crime. One of the most significant use cases is the creation and operation of so-called ‘dropper’ or ‘mule accounts’, which are accounts used to receive and move stolen funds.
For example, it seems that fraudsters can open or verify accounts using a cloud phone, then continue to access those accounts from the same virtual device. In some cases, access to both the account and the associated cloud phone instance can be sold on to other criminals.
As Group-IB explains, this creates a powerful advantage for the fraudsters because the same device signals are preserved throughout, meaning “the same device accessing the account that has always accessed it” appears to be in use. From a fraud detection perspective, that removes one of the key triggers for additional checks, i.e., there’s no obvious device change, no sudden shift in behaviour, and no immediate reason to challenge the transaction.
The Growing Scale of Financial Fraud and Cyber Security Threats to Businesses
This development comes at a time when authorised push payment fraud (where victims are tricked into sending money directly to a scammer, often through social engineering) is already a major cyber security issue. For example, in the UK alone, financial fraud losses reached £485.2 million in 2023, with mule accounts playing a central role in moving stolen funds past standard digital fraud prevention systems.
Cloud phones make these malicious accounts easier to create, operate, and scale. Group-IB says they have enabled “industrial-scale financial fraud” by lowering the cost and complexity of maintaining large numbers of apparently legitimate devices.
It seems that using cloud phones also gives fraudsters an extra economic advantage within the broader cyber crime landscape. Instead of investing in physical phone farms, fraudsters can now rent cloud infrastructure on demand, making these advanced scammer tactics accessible to a wider range of threat actors with relatively low upfront cost.
Why Cloud Phones Challenge Existing Cyber Security Models
For years, device fingerprinting has been a reliable layer in standard fraud prevention strategies. Typically, if an account is accessed from a new or suspicious device, standard cyber security defences will trigger step-up authentication or block the transaction entirely.
Cloud phones fundamentally weaken that model because the physical device itself is no longer a strong signal of trust. If a virtual smartphone can be rented, replicated, and transferred between users while maintaining a consistent identity, the traditional safeguards against digital fraud are easily bypassed.
This doesn’t mean existing IT security controls are obsolete, but it does mean they are no longer sufficient on their own. Group-IB’s report argues that advanced fraud detection must, therefore, move beyond simple device checks and towards a more layered approach. Group-IB concludes that effective fraud prevention now needs “device-environment correlation, infrastructure-level visibility, behavioral modeling, and graph-based analytics” to identify complex patterns that individual device checks may miss.
What Does This Mean For Your Business?
For financial institutions, the message from this report is clear. A device that looks genuine can no longer be treated as strong evidence that the activity behind it is genuine too. Fraud detection will really need to focus more on behaviour, context and relationships between accounts rather than relying heavily on device identity alone.
For other businesses, particularly those using mobile apps for onboarding, payments or identity verification, this is a warning that mobile trust models are becoming more complex. Controls that once worked well may now need to be reassessed.
There is also a broader operational implication. As fraud infrastructure becomes easier to rent and scale, the barrier to entry for sophisticated attacks is lowering. That increases the likelihood that smaller organisations, not just major banks, will encounter more advanced fraud techniques. This represents a clear change in how fraud is delivered, as the fraudster no longer needs to manage large numbers of physical devices and can instead access a virtual environment that behaves like a real smartphone and is designed to pass as one.
Taken together, this research seems to suggest that the balance of trust is changing, with the device in the user’s hand, or at least the one it appears to be, no longer something businesses can rely on without question.
Build Your Human Firewall with Centurion Computers As cyber criminals develop increasingly sophisticated tools to bypass automated fraud checks, your staff remain your most critical line of defence. We pride ourselves on being a personable, approachable team dedicated to getting you out of bother. Centurion Computers provides comprehensive Managed IT Support and industry-leading OpenText Cyber Security Awareness Training. From just £1.50 per user per month, we ensure your team knows exactly how to spot the latest scams before they compromise your systems.
Protect your business from the threats you can’t see. Contact Centurion Computers Today