Cloud phone technology and financial fraud have become a growing concern for banks and cybersecurity teams, according to new research examining how remote mobile devices hosted in data centres are being used in fraud operations.

A new Group-IB report, published on March 25, outlined how a tool once associated with social media automation has developed into infrastructure supporting financial crime.

Cloud phones are remote-access Android devices that run real mobile operating systems and hardware components but are accessed via the internet.

Because they behave like legitimate smartphones, fraud detection systems often cannot distinguish them from real user devices. This makes them significantly more difficult to detect than traditional emulators or virtual devices previously used in fraud schemes.

The research traces the development of this technology from early social media engagement automation, where multiple accounts were controlled from a single device, through emulator use and physical phone farms, to cloud-based phone services that can be rented cheaply online. These services allow users to operate multiple mobile devices remotely without owning any hardware.

Fraud investigators found that cloud phones are now being used to create and maintain so-called dropper accounts, which are bank accounts used to receive and transfer stolen funds. In the UK, losses linked to Authorized Push Payment fraud reached £485.2m ($649m) in 2022, Group-IB said, with dropper accounts identified as a major contributor.

Read more on phone fraud: Quarter of Brits Report Deepfake Phone Scams

Detection Challenges and Industry Response

The report found that several cloud phone platforms rent virtual devices for very low prices, making fraud infrastructure accessible to individuals with minimal resources. 

In some cases, pre-verified bank accounts linked to cloud phone devices are sold on darknet markets, allowing buyers to access both the account and the same virtual device used during verification.

This means banks may see the login as coming from a familiar device, even though control has changed hands. As a result, fraud detection systems may not trigger additional security checks.

Group-IB said traditional device fingerprinting methods are less effective against cloud phones because each instance has realistic hardware identifiers, sensor data and mobile network characteristics.

Instead, the company recommended multi-layered fraud detection that combines device fingerprinting with network intelligence and behavioral modeling, uses graph-based risk analysis to spot related accounts and monitors new accounts from environments with low app diversity, high financial app density or anonymization tools.