Researchers at Group-IB warn about criminals using virtual Android devices to bypass modern security solutions.

Cloud phones are virtual Android devices that can fully mimic real device fingerprints (model, hardware, IP, timezone, sensor data, behavior). This allows them to undermine banks’ device‑based fraud detection.

Originally, phone farms were made up of physical devices and were set up for testing. They grew in number when companies found out they could rent virtual phones and artificially raise engagement stats like follower counts, likes, shares, and so on. Further growth was driven by moving the infrastructure from physical phone farms to cloud phones.

At some point, cybercriminals figured out how to use these “rent-a-phones” to trick people into sharing access to banking accounts and crypto wallets, which were then emptied.

Banks caught on to these tactics and started building mobile apps that rely on device fingerprinting. This helped them detect and block fake devices taking over people’s accounts.

But as with any arms race, criminals found a way around that too. They now “pre‑warm” devices by adding banking apps, registering credentials, and running small transactions so accounts and device telemetry look low‑risk.

The researchers note that:

“They moved to cloud phones—remote-access Android devices running in data centers. For all intents and purposes, these are real phones, running genuine firmware, exhibiting natural sensor behavior, and presenting valid hardware attestation.”

And it’s not a big investment for the criminals. Major cloud phone platforms offer device rentals for as little as $0.10-0.50 per hour, making fraud infrastructure accessible to almost anyone.

One place these devices are used is in mobile games with real-money economies. These games have long struggled with a specific problem: bot farming of in-game currency and resources. In many cases, automated accounts can generate in-game items that have real-world value.

Banks face a different problem: account take-over (ATO) attacks. As banking shifted from web browsers to mobile apps, they needed more reliable and comprehensive ways to identify trusted devices. Many banks now bind accounts to specific devices and flag transfers that don’t come from that device.

The start of an attack is still social engineering. Criminals try to trick users into sharing one-time passwords (OTPs), approve a login, or make a transfer “to a safe account.”

Behind the scenes, the criminal logs into a cloud phone instance that already looks like the victim’s device to their bank, thanks to matching or plausible fingerprints and pre‑warmed behavior.

Once the criminals are in, they carry out authorized push payment (APP) transfers (often to money‑mule accounts), that the bank’s systems may treat as low‑risk because nothing about the device seems obviously wrong.

At that point the criminals can start emptying your account or sell the virtual phones to other criminals. According to the researchers:

“Darknet markets actively trade pre-verified dropper accounts created on cloud phones, with Revolut and Wise accounts priced at $50-200 each, often including continued access to the cloud phone instance.”

How to stay safe

The Group-IB researchers advise end users to:

• Never complete account verification processes under third-party instruction. Keep in mind that banks and government institutions will not ask customers to authenticate accounts through unfamiliar apps or remote environments.
• Enable device-based security features. Use official mobile banking apps, biometric authentication, and strong device-level security settings.
• Be cautious of “easy income” schemes involving bank accounts. Fake job offers requiring you to “verify” bank accounts, government officials requesting account verification, bank representatives asking you to move money to “safe” accounts.
• If you suspect that you have been targeted, contact your bank immediately. Update passwords and enable multi-factor authentication on all accounts.

We’d like to add:

• Turn on banking alerts for logins, payee changes and transactions where possible so you see unusual activity immediately.
• Use an up-to-date, real-time anti-malware solution for your Android device to detect and stop information stealers.
• When in doubt about a message, consult Malwarebytes Scam Guard. It will help you figure out if it’s a scam and guide you through what to do.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

*** This is a Security Bloggers Network syndicated blog from Malwarebytes authored by Malwarebytes. Read the original post at: https://www.malwarebytes.com/blog/news/2026/03/criminals-are-renting-virtual-phones-to-bypass-bank-security