As Australians sleep, scammers in other corners of the globe are waking up to a powerful new fraud tool that banks are struggling to detect. Virtual devices that pretend to be real handsets have become a key tool for financial scammers, according to security research released this week. The technology is neither new nor particularly sophisticated, but its impact on fraud victims may be substantial.
Cloud phones are remote-access Android devices that run real mobile operating systems and hardware components but are accessed via the internet, and because they behave like legitimate smartphones, fraud detection systems often cannot distinguish them from real user devices. These virtual phones run in data centres; a scammer simply logs in via the internet, opens a banking app, and initiates a fraudulent transfer. To the bank's security systems, the transaction appears to come from a device that has accessed that account many times before.
For Australian consumers, the implications are increasingly serious. Authorised push payment (APP) scam losses are on the rise, with losses in Australia predicted to hit AUD1.76 billion by 2028. That figure represents the total value stolen through scams where victims voluntarily send money to fraudsters after being deceived, often through social engineering and impersonation. By 2028, APP scam losses through real-time payments in Australia are expected to hit AUD1.547 billion, accounting for almost 88% of total scam losses.
The accessibility of cloud phone technology has democratised fraud. Cybercrime forums increasingly feature cloud phones pre-configured with finance apps and account login details that have been "pre-warmed" with a few transactions so as to appear legitimate, and they go for anywhere from $50 to $200 a piece. This means a relatively unsophisticated criminal can now access established fraud infrastructure without building it from scratch.
Why cloud phones? Traditional banks of actual smartphones are expensive and cumbersome to maintain; SIM farms make use of so much emulation software that they're easy to detect as they don't give off data characteristic of actual smartphones; software running in cloud environments closely mimics phone behavior, including providing each virtual Android phone with a unique device ID, IP address, and spoofed geolocation, and even incorporate fake sensor data to make it appear as if each device actually exists in the physical world.
The core vulnerability lies in how banks have historically approached fraud detection. Fraudulent transfers of money from scam victims to attacker-controlled accounts, which are then forwarded on to scammers via cloud devices with banking apps installed, never trigger fraud alerts, because to the bank's fraud detection system, it will appear to be the same device accessing the account that has always accessed it – same hardware fingerprint, same telemetry, same behavioral patterns.
There is a counterargument worth considering: cloud phone technology has legitimate uses. Social media managers use it to run multiple accounts without buying hundreds of physical phones. E-commerce resellers use it to avoid platform spam limits. Businesses use it for automation and testing. The platforms marketing these services are operating in a legally grey area, not clearly illegal, and many use the technology responsibly. The problem is not the technology itself but its weaponisation by criminals in concert with social engineering.
Cloud phones now facilitate industrial-scale dropper account creation worth £485.2 million in APP fraud losses in the UK alone for 2023, and undiscovered cloud phone usage is the critical missing link in many APP fraud cases. That gap between detection and reality represents millions of dollars in losses that banks are currently unable to prevent.
The response from both security researchers and financial institutions is shifting. Multi-layered fraud detection that combines device fingerprinting with network intelligence and behavioural modeling, uses graph-based risk analysis to spot related accounts and monitors new accounts from environments with low app diversity, high financial app density or anonymisation tools, has been recommended as a more effective approach. In other words, banks will need to look beyond the device itself and scrutinise the patterns of use, the speed of transactions, and the relationships between accounts.
For Australian banks, the challenge is immediate. Australia in early 2025 introduced frameworks to tackle various types of APP fraud, obligating FIs, digital platforms, and telecommunications providers to prevent, detect, disrupt, and report scams, or face harsh penalties for failing to protect customers. That regulatory pressure is mounting. The question is whether the technological fixes can keep pace with the ingenuity of fraudsters.
The uncomfortable truth is that no single solution will work. Cloud phones are just one weapon in a much larger arsenal of fraud tactics. As banks invest in multi-layered detection and intelligence-sharing networks, criminals will adapt. The race between detection and evasion continues, and for now, the evasion side is winning. Australian consumers should remain vigilant about requests for payments, regardless of how plausible the request appears, because the technology fraudsters now use makes it harder than ever for banks to catch them first.