Location spoofing is any technology that allows users to manipulate the location data shared by their device. There are a lot of uses for this technology, and not all of them are fraudulent—for example, some forms of IP and GPS spoofing are popular among privacy-conscious users who want to avoid tracking.
Unfortunately, however, location spoofing does have many fraudulent and abusive use cases as well, especially on location-based apps like P2P marketplaces or gig economy apps like food and grocery delivery services.
Location spoofing tools either send out false GPS signals from the user’s device or use software to make it appear as if the device is located elsewhere.
What is location spoofing?
Who typically spoofs their location?
Today, however, location spoofing's main customers are bad actors.
After easy-to-access GPS spoofer apps got popular among Pokemon Go players, bad actors began realizing the policy abuse and fraud potential of these tools.
Location spoofing has a few advantages and use cases for fraudsters:
- Help with hiding their identity and making tracking more difficult
- Help circumventing security measures that rely on GPS or IP address
- In food delivery: access to better service areas + the ability to "fake" deliveries and get paid for work not done
- On P2P marketplaces: access to different areas to find new victims for scams or social engineering
- On dating apps: access to different areas to widen the net for romance scams
- On streaming services: accessing geo-restricted content, forcing the violation of contracts and copyright agreements the platform might have agreed to
These are just a few examples of the ways bad actors can use location spoofing to their advantage.
Most legacy fraud prevention systems leverage IP addresses or GPS coordinates as part of their risk decisioning engines. Spoofing enables these bad actors to bypass location checks commit fraud with less roadblocks—bad news for platforms relying on these legacy location solutions.
You can learn more about this topic in the podcast below where Andre Ferraz (CEO and Founder at Incognia) and Felipe Cerqueira (Head of Global Operations at Rappi) talk about location spoofing's primary user base.
Why is spoofing location useful?
Spoofing location allows bad actors to commit policy violations and fraud on digital platforms.
Many mobile apps, for example, leverage location signals by a user's mobile phone to detect a user's whereabouts and provide a better service. Some apps even rely on location to function, like food delivery apps, local dating apps, online marketplaces, etc.
Using location spoofing on these apps enables different types of abuse and allows fraudsters to conceal their identity more effectively.
Here's a quick example to help illustrate what this might look like:
Say a bad actor joins a ride sharing platform. He might use location spoofing to convince the app that he's in Manhattan, when he's actually in New Jersey. Rides in high-demand areas like Manhattan are often worth more, but they're outside of this bad actor's range where he lives in NJ. Using location spoofing, he can claim these rides, and even fake showing up to the pickup spot in order to claim a no-show fee from the rider, even though the driver was the real no-show.
This is only a single example of a policy abuse scenario that uses location spoofing, but it's far from the only use case bad actors have found for faking their device's location data.
Below are some examples of location spoofing scams in various industries.
Scams leveraging location spoofing in food delivery apps
Food delivery is one of the primary industries where location spoofing is used to violate policies and commit fraud.
There are various ways bad-intentioned individuals try to scam food delivery apps, and these scams can happen on both the consumer and courier sides. Specifically, couriers are using GPS spoofing apps on their mobile devices to fake their location and trick the food delivery driver app into allowing them to accept deliveries they otherwise would not have access to based on actual location.
A courier may also spoof their location to access unfair advantages or to commit the following types of fraud:
- Gaining priority in order queues
- Accepting deliveries from busy locations
- Charging for deliveries not made
- Reporting longer rides to earn more from the platform
Couriers might root / jailbreak / emulate their devices:
- to commit social engineering
- to “clean” them by wiping away identifiers of past fraudulent behavior
Policies are also abused on the consumer app, such as creating multiple accounts to commit promotion and coupon abuse.
Location spoofing tools are also leveraged by fraudsters trying to hide their actual location and commit various financial fraud types, such as:
- Testing stolen credit cards and using them to commit Card Not Present (CNP) fraud
- Users that request fraudulent chargebacks by falsely claiming food was never delivered
- Account takeover fraud
Fraud in gaming apps powered by location spoofing
In mobile skill games, one of the most widespread fraud schemes involving location spoofing is “collusion” between players: fraudsters use hundreds of mobile devices to collude, sharing cards and game information to defraud other players' mobile gaming apps.
Are location spoofing and GPS spoofing the same thing?
GPS spoofing is a form of location spoofing, but there are other forms of location spoofing aside from GPS spoofing. For instance, using a VPN to manipulate your IP region is another example of location spoofing—one that targets IP-based location instead of GPS.
Put simply, "location spoofing" is the umbrella term that GPS spoofing lives under. GPS spoofing is always location spoofing, but not all forms of location spoofing are targeted towards GPS specifically.
GPS spoofing changes the appearance of where a device is located by sending out false signals that override the real ones coming from satellites.
This falls under location spoofing, but measures to change one's IP address or any other device-level signals used for location can also be considered location spoofing.
How do bad actors spoof location?
VPNs and Proxies
Fraudsters and legitimate users use proxies and VPNs to hide their IP addresses through a remote computer connection.
A critical difference between a proxy and a VPN is that a proxy runs at the application level, while a VPN runs at the operating system level.
Most fraud prevention technologies use the IP address to locate the user’s device, but the use of VPNs and proxies can easily fool these types of fraud detection systems and thereby conceal the user’s true location.
GPS spoofing apps
After the boom of ride-sharing apps and location-based massively multiplayer online role-playing games (MMORPGs), GPS spoofing applications have become widely available. These apps enable gamers to fake their position for an unfair in-game advantage and enable fraudsters to fake their location and fool fraud detection systems.
Aside from gaming, GPS spoofing is leveraged in several other activities by bad actors trying to conceal their actual location.
Most fraud prevention technologies use the GPS location to locate the user’s device, but GPS spoofing apps can now fool these systems. Fraudsters don’t even need to root their devices or have super admin privileges to use spoofing apps. Bad actors can now spoof their GPS signals as easily as downloading an app to their device and activating it.
Emulators
An emulator is a standard tool developers use to test mobile applications from a computer without needing to deploy the app into a mobile device. Fraudsters also use emulators to manipulate application data. Geolocation data is one category that an emulator can easily manipulate. While instrumentation tools, such as Frida, a dynamic code instrumentation toolkit, are primarily used by testers and developers, fraudsters use the tool to fool fraud prevention systems.
App tampering
App tampering is the process of modifying the compiled code of an application. By inserting custom code into the source code of an application, bad actors can interrupt communication between the operating system and application to report fake locations.
What are the most common ways to fake GPS location?
There are several ways to fake GPS locations, but most involve using software or apps that allow you to change your phone's location. Here are a few standard methods:
1. Using a GPS spoofing app: There are many apps available for Android and iOS devices that allow you to change your phone's location. These apps work by sending fake GPS signals to your phone, which tricks it into thinking it is somewhere else.
2. Using a GPS emulator: Some GPS emulators allow you to simulate a specific location on your computer, which can then be transferred to your phone via a USB connection.
It's important to note that faking your GPS location is generally considered a violation of the terms of service for many apps and websites and can also be illegal in certain circumstances. Additionally, using these methods to fake your location can have unintended consequences, such as causing your phone to behave erratically or making it difficult to use certain features.
GPS (Global Positioning System) is a system of 30+ navigational satellites. Devices use their signals to pinpoint an exact location. But these signals need to travel 12,550 miles to reach a receiver antenna, meaning they tend to be weak. By using simple radio transmitters, it is possible to emit signals to GPS receivers - such as smartphones - which could easily be more robust and precise than satellite signals due to the shorter distance between the transmitter and receiver. The transmitter signal would replace the official GPS signal, and the receiver location could be faked. Most devices and navigational systems are designed to accept the strongest signal, meaning they ignore the genuine signal in favor of the counterfeit one. Nowadays, radio transmitters are cheap online, and GPS spoofing apps are vastly available for Android devices, even through the Play Store.
Why should companies detect GPS Spoofing?
GPS spoofing can be a problem for companies because it can lead to inaccurate location data, which can have severe consequences in specific industries. For example:
- Ridesharing and food delivery apps: These apps rely on location to function and to ensure Trust & Safety. Without reliable location, they become vulnerable to abuse, fraud, liability increases, and safety risks.
- Finance: Financial institutions may use location data to verify users' identities or prevent fraud. If this data is inaccurate, it could lead to security breaches or fraudulent activity.
- P2P marketplaces: Local online marketplaces use location to connect people with others in their area. If that information can be manipulated, users can't trust the marketplace, and scams become easier and more common.
- Dating apps: Dating apps are another example of a location-based app that sees serious safety concerns when location spoofing gets involved. Location spoofing could allow users to access profiles outside their range and misrepresent themselves to other users.
In general, detecting GPS spoofing is important for companies because it helps them ensure the accuracy and integrity of their location data, which is essential for many business processes.
GPS spoofing is a severe problem for companies, as it can lead to costly errors and losses due to inaccurate positioning data. Detecting GPS spoofing is essential because it can be used for various malicious activities.
Additionally, in the food delivery sector, location spoofing is linked to higher rates of incomplete or cancelled orders. GPS spoofing means a worse customer experience for an app's good users.
By spoofing their location, attackers can compromise sensitive accounts guarded by location as a security signal, convincing apps that they are connected from a legitimate source instead of a malicious one.
By detecting GPS spoofing, companies can enhance security and prevent malicious actors from fooling their controls. Companies should ensure they have sufficient security measures to detect any attempts at GPS spoofing before it becomes too late.
How to detect fake GPS location?
There are several ways that fake GPS locations can be detected:
-
Using multiple sources of location data: By cross-referencing location data from multiple sources, such as GPS, Wi-Fi, and cell tower triangulation, it can be easier to detect fake GPS locations.
-
Analyzing location data patterns: Abnormal patterns in location data, such as sudden jumps in location or unrealistic speeds, can indicate that the data is fake.
-
Comparing location data to known landmarks: Comparing the location data to known landmarks, such as buildings or roads, can help verify its accuracy.
-
Using a GPS simulator: Some can test for fake GPS locations by simulating different locations and comparing the resulting data to what is expected.
-
Using specialized software: There are also specialized software tools available that can detect fake GPS locations by analyzing various aspects of the data, such as the strength and quality of the GPS signal.
It's important to note that detecting fake GPS locations can be challenging and may require combining these methods. Additionally, it's important to remember that the methods used to detect fake GPS locations may vary depending on the specific use case and the available resources.
While detecting fake GPS locations can sometimes require specialized tools and technologies, the most effective way to detect if the holder of a mobile device is faking a GPS signal is by detecting the installation of a GPS spoofing app.
Many companies try to check for the installation of GPS spoofing apps, but it takes effort to keep up with novelties from fraudsters' creativity. Also, aside from GPS spoofing, it is essential to check for many other possible forms of location spoofing.
How does Incognia detect location spoofing?
Incognia analyzes the integrity of each device to determine whether it is manipulating the data provided to the client-side application. Devices that are rooted or jailbroken, running a GPS spoofing application, or being emulated pose a significant security risk to the trust and safety of a digital community.
The user engages with the app
Whether the user is opening an account, entering a mobile game, or cashing out their winnings, Incognia detects device integrity anomalies.
The device is evaluated
Incognia checks whether the device has been tampered with, has location spoofing enabled, or is running on an emulator.
Incognia assesses risk
Interactions with devices that have been tampered with or are manipulating the data they pass to the client app will be flagged as risky by Incognia.
Given the easy access to location spoofing techniques and the increasing usage of fintech and e-commerce apps, it’s time for companies to upgrade fraud detection based on GPS or IP location. Today, fraudsters fool fraud detection systems by relying only on GPS or IP addresses for location-based risk assessments. Incognia location technology uses network signals, including GPS, Cellular, Wi-Fi and Bluetooth, and motion sensors, to provide highly accurate location behavior intelligence that is extremely difficult to spoof. Using the location sensor data from the device, Incognia uses several key location behavior concepts as the basis for Incognia’s location identity, which makes it extremely difficult for fraudsters to fake their location and go undetected. Combined, these location concepts establish trusted locations and location patterns for users that are part of Incognia’s risk assessments.
What makes Incognia better at detecting GPS spoofing?
Understand how Incognia geolocation technology works
To use Incognia location technology for fraud detection and location spoofing detection within a mobile app, Incognia is deployed as a lightweight SDK and APIs that deliver a risk assessment with detailed evidence. Users of the app must also enable location permissions on their devices. In the network of 100 million devices with Incognia deployed, we see very high rates of users opt-in for using location permissions for fraud prevention.
Best practices on messaging for location permission show that when the description of why the location is used is clear and provides direct value to the user, opt-in rates are high. The acceptance percentage will be smaller if the permission request is hidden or linked to a feature that does not give real value. Incognia detects location points and collects location data solely to protect the user and prevent fraud.
Location Environments
Each location has a unique signature of GPS coordinates and available WiFi, Bluetooth, and cellular network signals. Incognia maps and correlates these signatures to create unique environments and uses this information to identify a device's location with high precision and accuracy, even indoors.
Location Fingerprint
Each user has a unique location behavior pattern, like a location fingerprint, that comprises frequently visited locations specific to that user. As the user moves location, this location fingerprint is constantly changing and updating, making it extremely difficult to mimic or forge.
Trusted Locations
The highly frequented locations by the user and device are classified as the user’s trusted locations. When Incognia detects that a user is in a trusted location, there is a higher probability of the transaction being legitimate and a lower risk for fraud.
Location Detection
Incognia uses geofencing and activity recognition techniques to detect if a device has significantly displaced its position. By scanning Wi-Fi and Bluetooth signals, Incognia can detect displacements in position and confirm that the device is at a different location or returning to an already mapped location without pulling GPS coordinates every time. This technique also minimizes battery consumption on the device to 0.5% in 24 hours.
Behavior Watchlist
Incognia location technology is deployed in over 100 million devices providing a powerful network effect. Devices and locations associated with fraud or suspicious behaviors are added to the Incognia Behavior Watchlist. As a customer of Incognia, any device or location on the watchlist will be indicated in the evidence list. This information will be used in the risk assessment.