Who doesn’t like it when all of their work tools are in the same place? Google Suite and Microsoft Office are just two examples of discrete services that eventually became full platforms, with multiple services offered under one digital roof.
Fraudsters are on the hunt for that same convenience in their own workflows, and app cloners just might be the tool that steps in to fill the gap.
Picture an app on your phone. If you opened that app right now, left the window, and clicked that app’s icon on your home screen again, it wouldn’t open two windows of the app—instead, your phone would take you back to the same window of the app you already opened.
This is all well and good for regular use, but now imagine you’re a fraudster managing dozens or even hundreds of accounts on the same app. If you had to manually log in and out of every single account one at a time, you’d probably see your time-to-profit ratio skew quickly into “not worth it” territory.
That’s the problem that app cloners solve: they allow multiple instances of the same app to run on the same device at the same time.
Here's an example of an app cloner in action:
Using an app cloner, a fraudster can run as many as 1,000 instances of one app on a device at a time—that’s 1,000 accounts they can manage at a time, and it’s more if they use multiple devices or an emulator program.
First and foremost, app cloners are time savers for fraudsters who want to do multi-accounting. Instead of having to login into and out of accounts each time they want to switch or make a new account, they can just open a new window of the app and go on their way.
Multi-accounting is the ground floor for many different types of fraud. The more accounts a fraudster controls, the more resources they have for experimentation, execution, and upscaling.
Here are a few examples of ways we’ve seen multi-accounting used to power different fraud types with some of our clients:
On a grocery delivery platform, we’ve seen a fraudster use a single device to access over 800 different accounts and claim discounts meant for new users. The amount of coupon abuse paid out to this single individual was equal to 1.53% of the total redeemed coupon value for that month—that’s 1.53% of the campaign budget that wasn’t used to draw in new, legitimate users.
A fraudster using a different platform was able to access over 400 different accounts from one device to consume over $2,000 in promotions in just 30 days. They did this user an app cloner called “Dual Space Pro.”
Using cloned apps is what makes creating and accessing this many different accounts from a single device possible.
The more accounts a fraudster has at their disposal, the bolder they can be with their fraud. If they get banned, they can simply switch to a new account and continue the pattern.
This is what we saw with one food delivery platform facing a social engineering scam on the courier side. A courier was lying to consumers and claiming that the app glitched and cancelled their order on the courier side, at which point the courier would offer a portable Point-of-Sale machine and ask for payment. What the consumer didn’t know was that the machine was tampered, so what looked like a $20 charge might have been $2,000.
Obviously, affected consumers quickly reported the courier after they realized what had happened, but the courier was using additional accounts to return to the app and continue the scam even if one account was banned.
At the time Incognia was able to connect all of the accounts to one device and permanently block that fraudster, they had used four separate accounts to scam over $2,000 from consumers. Tellingly, the fraudster also had access to four additional accounts that hadn’t yet been used for fraud.
App cloners make this kind of ban evasion easier by spoofing the device ID of different app instances, making different accounts owned by the same person harder to connect to one another.
In one case we’ve seen, a fraudster accessed over 200 accounts using a cloner called “Multiple Accounts: App Clone Space” and spent over $5,000 in transactions, only to get $4,163 of that money back in fraudulent refunds. That’s over 80% of their purchase value refunded.
Because many apps are more likely to grant refunds to newer users out of good faith, many fraudsters cycle through newly-created accounts to commit refund abuse at a higher success rate.
App cloners make this process easier by allowing fraudsters to more quickly create and swap between accounts without having to use one window for all of their activities.
As you can see, app cloners are already an incredibly powerful tool for organized fraudsters, even at their base functionality. But lately, we’ve seen the Fraud-as-a-Service vendors who develop and sell app cloners adding more and more features to them, essentially creating one-stop software shops for enterprising bad actors. Some of the features we’ve seen on offer include:
- Bypassing SMS verification
- Bypassing facial recognition with deepfakes and image injectors
- Change device ID and parameters
- App tampering to bypass fraud prevention detections
- Location spoofing
Oftentimes, more advanced features and capabilities are paywalled behind higher pricing for the app. In this screenshot of an app cloner’s pricing page, you can see some of the features on offer, as well an example of the tiered pricing model FaaS vendors might use:
It’s easy to see how access to tools like these, especially all in one place, massively lowers the barrier to entry for fraudsters. Instead of spending time and money researching and finding separate tools for all of these different fraud applications, a fraudster could get one recommendation for an app cloner suite and pay a flat fee for as many tools as the developers offer.
It might be an attack of the app cloners, but not all hope is lost—this just means that investing in fraud solutions that can detect app cloners is becoming more important than ever. At Incognia, we have an entire layer of our solution dedicated to tamper detection, so that we can identify app cloners and app tampering tools and verify the integrity of our data.
If you can detect the presence of an app cloner or similar tool on a device, that raises the risk that that device is being used with fraudulent intent. Having this kind of information allows operators to make more informed decisions about which login and onboarding attempts they allow, and it ultimately makes the platform a safer place.
To learn more about how Incognia is helping platforms in the gig economy tackle app cloners and other device integrity issues, visit our tamper detection page here.