Securing the Digital World

Five Mobile Apps in Every Cybercriminal’s Toolbox

Oct 03, 2017 | by Heidi Bleau |

Keeping up with the latest technology trends is par for the course when it comes to cybercriminals. With nearly half of all transactions originating from a mobile device last year, it is no surprise to see cybercriminals flocking to take advantage of this rapidly growing channel.

Cybercriminals are also consumers just like you and me and relish the user-friendly nature of mobile interfaces. But unlike the convenience of using the mobile channel that most average consumers seek, cybercriminals are looking to take advantage of weaker security measures that are present in the mobile versions of most websites. In addition, certain mobile applications enable unique features which are not available on standard websites.

Based off conversations among cybercriminals, RSA FraudAction researchers sampled numerous mobile apps to understand how they are being used to commit fraud. Most of the apps that were tested are available in popular mobile app stores, such as Google Play, and are completely legitimate apps that are being abused for fraudulent purposes. There are also illegitimate apps which have been developed by fraudsters and made available in popular app stores, but they are often removed quickly and remain widely available for download in the underground.

National Cybersecurity Awareness Month is upon us, and consumers can expect to be indulged with best practices on how to maintain privacy in their digital lives throughout the month. Cybercriminals also strive to keep their privacy as they perform their nefarious activity. With that in mind, I present the top five mobile apps that can be found in every cybercriminal's arsenal of digital weapons.


Orbot allows its users to hide all Internet activities including apps behind a Tor proxy. Cybercriminals use this app to increase their anonymity and access underground forums and marketplaces. Below is an example of a comment from an underground forum showing a cybercriminal recommending Orbot to his peers.



SuperVPN provides a free VPN client which adds a layer of anonymity for cybercriminals to hide their IP address when committing fraud.


ProxyDroid helps set proxies (http, socks4 and socks5) on Android devices and is frequently mentioned in fraud groups on Facebook and underground forums. The following example shows a cybercriminal searching for advice on ProxyDroid in a Facebook carding group.


Device Id IMEI Changer Xposed

Device Id IMEI Changer Xposed enables cybercriminals to change the value of IMEI, Android ID, Serial Number, WiFi MAC Address and the service set identifier (SSID) of the current WiFi network in order to mimic the device of their victims.

Fake GPS Location

Fake GPS Location allows setting up a fake GPS location which is recognized by all other apps on the device. The app is used by cybercriminals to match their geo-location to that of their victims.

Anti Detect

Anti Detect is a mobile and PC browser that is widely used in the fraud community for activities such as carding and fraudulent bank transfers. This paid app offers multiple anonymity layers, allowing cybercriminals to substitute the use of RDPs and proxies. RSA's investigation showed that this app was previously available on Google Play, however, it has since been removed.

Cybercrime is no longer only reserved for the deep dark corners of the Internet. Cybercriminals have moved their activity into the mainstream by leveraging legitimate services and platforms to conduct their fraudulent business. They can be widely found on popular social media sites communicating and selling stolen goods. Now increasingly, they are leveraging the availability of legitimate apps to commit fraud.

It is critical for organizations to stay aware of the mobile threat capabilities that cybercriminals have developed as they look to extend new services and functionality to their legitimate customers through the mobile channel.

Learn more about how you can manage your digital risk and follow us on Twitter @RSAFraud to stay up to date on the latest fraud research.