Skip to content
Chimera readability score 0.5121 out of 100, reading level.

Researchers at Group-IB warn about criminals using virtual Android devices to bypass modern security solutions.
Cloud phones are virtual Android devices that can fully mimic real device fingerprints (model, hardware, IP, timezone, sensor data, behavior). This allows them to undermine banks’ device‑based fraud detection.
Originally, phone farms were made up of physical devices and were set up for testing. They grew in number when companies found out they could rent virtual phones and artificially raise engagement stats like follower counts, likes, shares, and so on. Further growth was driven by moving the infrastructure from physical phone farms to cloud phones.
At some point, cybercriminals figured out how to use these “rent-a-phones” to trick people into sharing access to banking accounts and crypto wallets, which were then emptied.
Banks caught on to these tactics and started building mobile apps that rely on device fingerprinting. This helped them detect and block fake devices taking over people’s accounts.
But as with any arms race, criminals found a way around that too. They now “pre‑warm” devices by adding banking apps, registering credentials, and running small transactions so accounts and device telemetry look low‑risk.
The researchers note that:
“They moved to cloud phones—remote-access Android devices running in data centers. For all intents and purposes, these are real phones, running genuine firmware, exhibiting natural sensor behavior, and presenting valid hardware attestation.”
And it’s not a big investment for the criminals. Major cloud phone platforms offer device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to almost anyone.
One place these devices are used is in mobile games with real-money economies. These games have long struggled with a specific problem: bot farming of in-game currency and resources. In many cases, automated accounts can generate in-game items that have real-world value.
Banks face a different problem: account take-over (ATO) attacks. As banking shifted from web browsers to mobile apps, they needed more reliable and comprehensive ways to identify trusted devices. Many banks now bind accounts to specific devices and flag transfers that don’t come from that device.
The start of an attack is still social engineering. Criminals try to trick users into sharing one-time passwords (OTPs), approve a login, or make a transfer “to a safe account.”
Behind the scenes, the criminal logs into a cloud phone instance that already looks like the victim’s device to their bank, thanks to matching or plausible fingerprints and pre‑warmed behavior.
Once the criminals are in, they carry out authorized push payment (APP) transfers (often to money‑mule accounts), that the bank’s systems may treat as low‑risk because nothing about the device seems obviously wrong.
At that point the criminals can start emptying your account or sell the virtual phones to other criminals. According to the researchers:
“Darknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance.”
How to stay safe
The Group-IB researchers advise end users to:
- Never complete account verification processes under third-party instruction. Keep in mind that banks and government institutions will not ask customers to authenticate accounts through unfamiliar apps or remote environments.
- Enable device-based security features. Use official mobile banking apps, biometric authentication, and strong device-level security settings.
- Be cautious of “easy income” schemes involving bank accounts. Fake job offers requiring you to “verify” bank accounts, government officials requesting account verification, bank representatives asking you to move money to “safe” accounts.
- If you suspect that you have been targeted, contact your bank immediately. Update passwords and enable multi-factor authentication on all accounts.
We’d like to add:
- Turn on banking alerts for logins, payee changes and transactions where possible so you see unusual activity immediately.
- Use an up-to-date, real-time anti-malware solution for your Android device to detect and stop information stealers.
- When in doubt about a message, consult Malwarebytes Scam Guard. It will help you figure out if it’s a scam and guide you through what to do.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Facts Only

Researchers at Group-IB warn about criminals using virtual Android devices to bypass security solutions.
Cloud phones are virtual Android devices that mimic real device fingerprints, including model, hardware, IP, timezone, sensor data, and behavior.
These devices undermine banks’ device-based fraud detection systems.
Phone farms originally consisted of physical devices for testing but shifted to virtual cloud phones.
Cybercriminals use rented cloud phones to trick users into sharing access to banking accounts and crypto wallets.
Banks responded by implementing device fingerprinting in mobile apps to detect fake devices.
Criminals now "pre-warm" cloud phones by adding banking apps, registering credentials, and running small transactions to appear low-risk.
Cloud phone rentals cost as little as $0.10–$0.50 per hour.
These devices are also used in mobile games to automate farming of in-game currency with real-world value.
Account take-over (ATO) attacks in banking often start with social engineering, such as tricking users into sharing OTPs.
Criminals use cloud phones with matching fingerprints to bypass bank security and conduct authorized push payment (APP) transfers.
Darknet markets sell pre-verified accounts created on cloud phones, with Revolut and Wise accounts priced at $50–$200.
Security recommendations include avoiding third-party verification, enabling biometric authentication, and monitoring banking alerts.

Executive Summary

Cybercriminals are exploiting virtual Android devices, known as cloud phones, to bypass security measures in banking and financial apps. These devices mimic real hardware fingerprints, including model, IP, sensor data, and behavior, allowing fraudsters to evade device-based fraud detection. Originally used for testing and social media engagement manipulation, cloud phones have become a tool for account takeovers (ATOs) and crypto wallet theft. Criminals "pre-warm" these devices by installing banking apps, registering credentials, and conducting small transactions to appear legitimate. Rental costs for cloud phones are as low as $0.10–$0.50 per hour, making fraud accessible to a broader range of actors. Beyond banking, these devices are used in mobile games to farm in-game currency with real-world value. Social engineering remains the initial attack vector, tricking users into sharing OTPs or approving transfers. Pre-verified accounts linked to cloud phones are sold on darknet markets for $50–$200. Security recommendations include avoiding third-party verification, enabling biometric authentication, and monitoring account alerts. The arms race between security measures and fraud tactics continues, with cloud phones representing a significant evolution in cybercrime infrastructure.

Full Take

The strongest version of this narrative highlights a critical evolution in cybercrime: the weaponization of cloud-based virtual devices to exploit trust in device fingerprinting. Group-IB’s research credibly demonstrates how fraudsters adapt to security measures, turning legitimate technology (cloud phones) into a tool for financial theft. The analysis avoids sensationalism, focusing on verifiable tactics like "pre-warming" devices and the low cost of rental infrastructure. However, the framing leans toward a technological arms race, which may obscure deeper systemic issues—such as the financial incentives for platforms hosting these cloud phones or the limitations of device-based authentication as a sole security layer.
Pattern scan: The narrative employs a subtle fear appeal (ARC-0012) by emphasizing the accessibility of fraud tools ($0.10/hour) and the sophistication of attacks, which could amplify anxiety without proportional actionable solutions. The focus on "darknet markets" and "money mules" also risks reinforcing a binary of "criminals vs. victims," potentially oversimplifying the role of complicit intermediaries (e.g., cloud providers, lax KYC policies). No overt distortion or bad faith is detected, but the emphasis on individual vigilance (e.g., "never complete verification under third-party instruction") may shift responsibility away from institutional failures.
Root cause: The paradigm here is the commodification of trust. Cloud phones exploit the assumption that device fingerprints are immutable markers of identity, a flaw in security models that treat hardware as inherently trustworthy. Historically, this echoes the cat-and-mouse game between spam filters and botnets—each iteration of defense spawns a more sophisticated offense. The unstated assumption is that banks and users can "out-innovate" fraud, but the low cost of entry for attackers suggests structural vulnerabilities in digital identity systems.
Implications: Human agency is both undermined and empowered. Users face heightened risks of social engineering, while banks must grapple with the limits of technical solutions. The second-order consequence is the erosion of trust in mobile banking, which could drive regulatory overreach or push users toward less secure alternatives. The beneficiaries are cybercriminals and cloud phone providers profiting from ambiguity; the costs are borne by individuals and institutions playing catch-up.
Bridge questions: What role should cloud infrastructure providers play in mitigating abuse of their platforms? Could decentralized identity systems (e.g., blockchain-based attestation) reduce reliance on device fingerprints, or would they introduce new vulnerabilities? How might financial institutions redesign authentication to account for the "pre-warming" of fraudulent devices?
Counterstrike scan: If this were an influence campaign, the playbook would amplify fear of technological helplessness ("fraud is inevitable") to justify surveillance-heavy security measures or vendor lock-in for "trusted" devices. The actual content avoids this trap, focusing on user education and multi-layered defenses rather than despair. No structural alignment with manipulation is detected.

Sentinel — Human

Confidence

This analysis suggests the article is likely human-written, with varied sentence structure, an engaging narrative, and unique argumentation. However, the analysis is not definitive.

Signals Detected
low severity: Slightly varied sentence length
medium severity: Engaging narrative with personal voice
low severity: Unique argument structure, no verbatim talking points
Human Indicators
Article provides contextual details not typically found in AI-generated content
The article presents a clear narrative with a personal tone, which is less common in synthetic text
Criminals are renting virtual phones to bypass bank security — Arc Codex