Download the PDF version

On-device fraud: a rising threat in online banking fraud


In today's digitally interconnected world, where transactions are conducted with a mere tap of a screen and sensitive information flows seamlessly across networks, the threat of fraud looms larger than ever before. 

As technology continues to evolve, so do the methods employed by fraudsters to exploit vulnerabilities and compromise the security of individuals and businesses. 

One such avenue for fraudulent activity is on-device fraud, where malicious actors target devices themselves to gain unauthorised access, steal personal data, or execute fraudulent transactions.

That’s why it has become imperative for banks to adopt proactive strategies and deploy advanced tools to fortify their defences against on-device fraud.

In this article, we delve into the intricacies of on-device fraud, exploring its various forms and the impact it can have on individuals and organisations, with the hope of helping banks protect their customers against these attacks. 

What is on-device fraud and how it works

On-device fraud refers to fraudulent activities conducted directly on a user's device without the need to take over the victim’s account from another device.

This type of fraud leverages the trustability of the victim’s device bypasses enrolling procedures, and avoids triggering strong risk indicators such as the ones related to the use of a new device and the connection from a new location. Fraudsters aim at carrying out malicious actions, including unauthorised access to sensitive information, manipulation of data, or unauthorised transactions. 

On-device fraud can manifest through various techniques like social engineering attacks and abusing legitimate features (e.g. Accessibility Services on Android OS), which aim at infecting the victim’s device via malware. 

Social engineering attacks may trick users into divulging sensitive information, such as login credentials or banking details, through fraudulent emails, messages, or websites that mimic legitimate entities. 

Do you need a refresher on social engineering attacks? Read our blog article: “Social engineering attacks in online banking: how to identify and fight them”.

Furthermore, abusing legitimate features such as Accessibility Service on Android can enable attackers to retrieve full access to the victim's device including performing gestures or intercept SMS. 

In both cases, the purpose is the same: allow cybercriminals to take control of the victim’s device by installing malware, such as trojans or spyware, through deceptive links, malicious apps or software downloads. 

How on-device fraud works | Cleafy

Account Takeover via on-device fraud

On-device fraud is commonly exploited to perpetrate Account Takeover. In this case, we talk about Device Takeover.

Device Takeover is executed using a specific type of malware known as Remote Access Trojans (RATs), engineered to manipulate infected devices remotely by issuing commands and retrieving data.

In this way, cybercriminals are able to read the OTP messages and authorise the illicit payments by themselves without needing the “help” of the banking account owner. 

Automated Transfer System via on-device fraud

Unlike Account Takeover, attacks through the Automatic Transfer System don't require taking over the victims’ accounts. 

Once the malware is installed on the victim’s device, cybercriminals can perform their fraud by tampering with the genuine operation without the user noticing it. All the actions are performed by the real users with the real device, unaware of the malicious malware installed in their digital device. 

This allows cybercriminals to bypass fraud detection mechanisms like two-factor authentication, Behavioral Biometrics, or Behavioral Analysis.

In terms of fraud operations, ATS attacks are way more scalable than ATO attacks, as they are completely automated and do not require the intervention of humans. On the other hand, developing advanced malware is extremely expensive.

Real-world examples of on-device fraud threats

A recent real-world example of an on-device fraud threat is Copybara.

Copybara presents all the functionalities for performing On-Device Fraud (ODF), and initiating unauthorised money transfers directly on the victim's device. With the ODF approach, TAs have significantly enhanced their ability to process fraudulent transactions, rendering conventional anti-fraud countermeasures largely ineffective. 

Threat Actors (TAs) behind Copybara adopted a hybrid approach, including Social Engineering techniques (smishing/vishing) and malware components to perform unauthorised banking transfers (via Instant Payments) to a well-organized network of bank accounts (money mule).

Copybara fraud campaign | Cleafy Labs

Why does it represent a threat to banks and financial services?

With the development of advanced fraud techniques and the pervasive use of digital devices, there is no reason to doubt the several damages that on-device fraud could bring to banks and financial services. 

If there is still one, here is a summary of why you should care about this threat.

Financial consequences for customers and businesses

For individuals, unauthorised transactions, identity theft, and drained bank accounts are distressing realities that can lead to significant financial strain and disruption of daily life. 

Moreover, businesses face similar risks, with the added burden of potential liabilities from compromised customer data or fraudulent transactions. The costs associated with investigating and rectifying fraudulent activities, coupled with potential reputational damage, underscore the severity of the financial impact of on-device fraud.

Erosion of trust in digital service - and in your bank

Beyond the immediate financial implications, on-device fraud poses a grave threat to the trust and confidence in digital services or a specific bank or financial services provider. 

In an era where online banking, e-commerce, and digital payments have become integral parts of everyday life, any compromise in the security of these platforms can erode trust and undermine user confidence. Instances of on-device fraud not only shake the belief in the safety of digital transactions but also instil fear and scepticism among consumers regarding the reliability of financial institutions and technology providers. 

The erosion of trust in digital services can have far-reaching consequences, leading to decreased adoption of online banking solutions, diminished consumer engagement with digital platforms, and a general reluctance to embrace innovative financial technologies.

Potential legal and regulatory consequences

The prevalence of on-device fraud also brings significant legal and regulatory implications for banks and financial services providers. 

As custodians of sensitive customer information and guardians of financial transactions, these institutions are subject to stringent legal requirements and regulatory standards to safeguard consumer interests and ensure data protection. 

Instances of on-device fraud not only expose vulnerabilities in existing security frameworks but also raise questions about the adequacy of measures implemented to prevent fraudulent activities. 

Failure to adequately address these concerns can result in legal liabilities, regulatory fines, and reputational damage for financial institutions found to be negligent in protecting customer assets and data privacy.

Psychological consequences

Let’s not forget about the troubling effect that online fraud has on mental health

The sense of violation and betrayal experienced by individuals who fall victim to fraud can be overwhelming, leading to feelings of vulnerability, helplessness, and mistrust. Victims may suffer from heightened anxiety, stress, and paranoia, fearing further breaches of their privacy and security. 

The psychological trauma inflicted by on-device fraud can have long-lasting repercussions, affecting not only the immediate victims but also their families and communities. 

Recognising and addressing the psychological toll of on-device fraud is crucial for supporting victims and fostering resilience in the face of evolving cyber threats.

How to prevent On-device fraud

The multifaceted nature of on-device fraud presents a complex challenge for banks and financial services, encompassing financial, trust-related, legal, and psychological dimensions. Addressing this threat requires a comprehensive approach integrating robust cybersecurity measures, effective risk management strategies, and empathetic support for victims. 

Financial institutions can better safeguard their customers and uphold the integrity of digital financial systems only by understanding the far-reaching implications of on-device fraud and how to avoid it from happening. 

Awareness and education

Most of the time, cyber-attacks can get through because people do not pay enough attention to how they act online

The world of online banking fraud is becoming highly complex and full of shades that people aren’t aware of. 

The development of anti-fraud technologies led cybercriminals to exploit the only thing that technology will never control: the human brain. This is why social engineering techniques are so successful in perpetrating fraud. 

This is where awareness and education become crucial to prevent people from falling into cybercriminals’ traps. 

Strong security measures

As we saw, malware plays a crushing role in perpetrating on-device fraud. 

We live in a new world where fraudsters aren’t a small group of youngsters playing with limited tools from their garages. Online fraud is an entire industry backed by a structured ecosystem. Entire illicit organisations invest money in developing advanced malware and create malware as a service. AI is making this process even quicker. 

Banks and financial services provider must secure their systems by integrating a fraud management solution that can detect even the most advanced malware before they hit, like new malware variants and zero-day malware.  

A solution that combines advanced detection and response capabilities with skilled fraud hunters, and identifies in real-time new patterns of threats that might hit your customers. 

By combining multiple patented technologies with a rich database of malware families to classify any variants, Cleafy has proved highly efficient in detecting new malware families before they strike. 

Thanks to this, we have been able over the years to identify dangerous malware like TeaBot, SharkBot and new Copybara campaigns targeting banks in Europe.

Stop on-device fraud threats with Cleafy

Read more articles