Device fingerprinting, i.e., collecting information from a device for the purposes of identification, is one of the main techniques used by online services for fraud detection. The goal is to recognize “bad” devices used by fraudsters, such that they can be identified even when other attributes (such as user names or IP addresses) change.
In the browser era, device fingerprints typically took the form of browser and OS configuration information and/or persistent HTTP cookies. However, as more and more online services shift to a “mobile-first” or “mobile-only” strategy, device fingerprinting technology also took on an entirely new form. The tracking entity (often the mobile app) now resides on the device itself, rather than remotely as in web communications. They hence have access to mobile device identifiers, sensor readings, and other contextual information that enable more accurate device fingerprints — and potentially better fraud detection solutions.
This did not deter fraudsters. Device fingerprinting may be good at identifying known bad mobile devices, but there is little they can provide on never-before-seen devices that lack reputation history. Fraudsters exploit this information void to their advantage. By simulating the appearance of multiple distinct mobile devices, they can conduct large-scale attack campaigns that look as if they are from unique legitimate users. This allows them to avoid detection and reap gains from fraudulent transactions, ad campaigns, and mass registered fake accounts, just to name a few.
Mobile Device Flashing
A common technique for simulating the appearance of multiple new, distinct mobile devices is called device flashing. On mobile devices, the operating system initializes and controls the system configuration (for legacy reasons, the operating system on mobile devices is sometimes also called “firmware” or “ROM image”). By “flashing,” or overwriting, the current version of the operating system with a custom version, it is possible to reset the device to its factory state. This effectively erases all stored data, and forces a new device identifier to be generated. For example, ANDROID_ID, the unique identifier for Android phones, is randomly generated when the user initializes the device.
Recently, the DataVisor team observed mobile device flashing used in an attack to perform fraudulent purchases within a popular mobile game app. The fraudsters acted as “brokers” to purchase virtual items on the gamers’ behalf, leveraging stolen credit cards and virtual currency arbitrage to make a profit. Device flashing is used here to avoid raising suspicion from having too many accounts (the gamer accounts) associated with the same device (the fraudster “broker’s” phone).
The table below shows this attack in action. Each row corresponds to an event logged by the mobile game app. The attacker repeatedly logged on as different users (gamer IDs) to make purchases, without generating any other types of events indicative of actual game play. As shown in the “DEVICE_ID” column, they also switched out their device identifiers frequently – after every couple of users – such that each “device” will only be used by a very small number of users, similar to legitimate devices.
Spoofing via Intercepting System Calls
In addition to mobile device flashing, spoofing is another way of simulating the appearance of multiple devices. This abuses the fact that apps obtain device identifiers and other system information through system calls. On jailbroken/rooted devices, or for apps that have been maliciously repackaged, these calls can be intercepted and given a fake value – whether it’s device identifiers, sensor readings, or any other contextual information about the device’s surroundings. As an example of spoofed identifiers, the figure below shows invalid “MAC addresses” observed by a mobile app that are not even in hexadecimal representation, which is a base 16 system that should only contain the symbols 0-9 and A-F (or a-f).
The table below shows examples of fake signup events at an online social network app, which offers newly registered users a limited number of virtual currency that they can use to purchase virtual items or trade with other users. In this attack, hundreds of users registered from the same IP subnet, each with a different MAC address and randomly generated usernames. By mass registering fake accounts this way, the attackers can harvest virtual currency to resell for profit, all while evading standard detection techniques based on unique device identifiers.
The Uses and Limits of Mobile Device Fingerprinting
Device fingerprinting technology has advanced greatly in the mobile era, primarily due to the many fine-grained “identifiers” available on mobile devices that were not previously accessible on PCs. However, as we show in the above examples, fraudsters have adapted their techniques to circumvent mobile device fingerprinting – and the security solutions that rely on them. With these sophisticated obfuscation techniques, a group of bot accounts (controlled by the same attackers) can appear to originate individually from different devices and geolocations, just like legitimate users.
More importantly, these attacks illustrate the importance of understanding the caveats and limitations of mobile device fingerprinting. “Unique” identifiers may not always be what they seem, and even then, recognizing a returning device is not the same as identifying fraud. As the security landscape continues to evolve with new technology, online services also need to be aware of these new threats and be prepared to deal with them.