Real Examples of How Bad Actors Weaponize Mobile OS to Hack Your App

Every feature that makes a mobile app useful—from cameras and biometrics to GPS and NFC—can also become an attack vector. In a recent webinar, Guardsquare Security Researcher Jan Seredynski demonstrated how threat actors are actively weaponizing these capabilities to commit fraud, hijack accounts, and bypass trust mechanisms at scale.

The exploding mobile landscape: Why the stakes are higher than ever

Mobile applications aren’t just a convenient addition to business; they are increasingly the primary driver of revenue across major industries:

• E-Commerce: Approximately 63% of e-commerce revenue and 70% of total orders come directly through mobile devices.
• Gaming: Over 50% of gaming industry revenue is generated on mobile, thoroughly outpacing traditional consoles and PCs.
• Banking: In the financial sector, a staggering 76% of active banking users are now mobile-only.

Because mobile applications are built by developers but run on devices entirely controlled by end-users, they are inherently exposed to a double-sided threat model. On one hand, a malicious user may tamper with the app on their own device to bypass restrictions. On the other hand, a legitimate user might inadvertently download malware that quietly targets benign apps running alongside it.

Here are the five features attackers actively manipulate to achieve those goals:

1. Camera and biometrics: The rise of "face spoofing"

Mobile applications frequently rely on biometrics and camera verification for high-stakes user onboarding and fraud prevention. For instance, ride-sharing and food delivery platforms require drivers to upload documentation (IDs, driving licenses) and clear daily selfie verifications to ensure the operator actually matches the registered account holder.

The incident

A highly organized black market has emerged where banned operators—individuals who lost their licenses due to safety violations, accidents, or expired work visas—rent fully registered accounts from other users or hacking groups for around $15 a month.

To bypass the daily selfie checkpoints, attackers developed a technique to hamper and repackage the legitimate apps. Instead of pulling a live feed from the physical camera lenses, the modified app intercepts the process and injects a static video file recording of the legitimate user's face directly from the device's disk.

The impact

This simple camera feed replacement effectively neutralized biometrics verification. Attackers packaged this cheat into altered apps and successfully commercialized it on Telegram channels for roughly $11 a month.

2. GPS location: Automated teleportation exploits

GPS is central to delivery logistics, regional pricing, and location-based gaming. While GPS spoofing was widely popularized years ago by players "teleporting" in games like Pokémon Go, the corporate risk today is highly financial.

The incident

Using the same repackaged delivery application variants sold on Telegram, delivery drivers utilize fake GPS overlays to game automated dispatch algorithms. When order volume drops, dispatcher algorithms naturally assign food pickups to the delivery drivers physically closest to the restaurant.

Drivers use the cheat to "teleport" directly inside high-volume shopping malls or restaurants, maintaining an apparent distance of 0 meters.

The impact

By virtually occupying the restaurant, the algorithmic dispatch favors the cheating driver every time. The driver can wait comfortably blocks away until the cooking time has elapsed, maximizing their hourly payout while completely skewing the platform's logistics and fairness metrics.

3. Accessibility services: Full UI control for malware

Accessibility services are incredibly powerful Android OS utilities designed to assist users with disabilities by reading screen content aloud and interacting with UI elements on their behalf. However, if an administrative permission of this magnitude falls into the wrong hands, the security implications are catastrophic.

The incident

Attackers trick users into granting accessibility permissions to seemingly benign applications (such as a utility calculator or a compromised keyboard tool). Once active, malicious apps utilize these capabilities to continuously monitor the screen, function as a keylogger, and actively execute actions.

During a live presentation demo, Jan demonstrated how malware on a completely unrooted device targets a banking application. The moment a user logs into their account, the accessibility-powered malware captures the layout, automatically navigates to the payment screen, alters the recipient account number, types the transfer amount, enters the passcode, and fires off an unauthorized transaction — all in under 3 seconds.

The impact

Because the malware moves faster than human reaction time, users are completely powerless to stop the fund exfiltration once the app is open. This style of automated attack has proven highly pervasive, particularly across financial sectors in South America.

4. Unique user experience: Activity injection attacks

Mobile platforms are designed around a focused user experience: generally, only one application is visible on screen at any given time. This design creates a profound element of trust—users implicitly assume that whatever UI they see belongs to the application they intentionally opened.

The incident

Attackers break this core assumption using a technique called Activity Injection. When a user opens a legitimate e-commerce or banking app and proceeds to a checkout or sensitive login screen, a piece of background malware detects this event (often leveraging accessibility alerts) and instantly forces its own malicious window to pop up directly on top.

To make matters worse, these malicious apps are dynamic. Upon installation, the malware inventories every app present on the victim's device (e.g., Amazon, Shopee, banking utilities) and pings its command-and-control server. The server responds with exact HTML/CSS design templates matching the target apps.

The impact

The overlay UI is seamlessly stylized to mimic the original application's branding, color palette, and input boxes. A typical user has absolutely no visual indicator that they have transitioned out of their trusted app, leading them to willingly hand over payment details and credentials directly to the attacker.

5. Near Field Communication (NFC): Signal relay fraud

NFC is widely trusted for contactless mobile payments and mobile identity verification. Many high-security banking apps require users to tap their physical credit card against the back of their phone's NFC chip as a secure second form of authentication.

The incident

By pairing an Activity Injection exploit with an active network connection, threat actors can execute an advanced NFC Signal Relay Attack.

First, a deceptive overlay screen tricks the victim into thinking they’ve been logged out and must tap their physical payment card to re-verify. When the victim places their card against their device, a malicious background app captures the raw NFC signals and relays them in real-time over the internet to a second attacker device physically stationed at a retail terminal or payment checkout anywhere else in the world.

The impact

Jan’s live validation proved that despite any network latency, the relayed credential data could successfully authorize and process checkout transactions at point-of-sale terminals. The victim believes they are simply verifying their account, while their card is actively being swiped thousands of miles away.

Quantifying the threat: The reality of scale

While these attack scenarios may sound niche, telemetry suggests they are far from isolated incidents. Using data from apps protected by Guardsquare, we tested 80 million unique devices over a 180-day period, and the scale of exploitation becomes clear:

Even seemingly small percentages translate into hundreds of thousands of compromised devices operating in production environments.

Proactive defense: Shifting security server-side

Jan’s examples illustrate a fundamental reality of mobile app security: attackers don’t need to break iOS or Android to compromise your application. They only need to manipulate the trust assumptions your app makes about the environment in which it runs.

As mobile apps become increasingly central to banking, commerce, transportation, and digital identity, organizations must move beyond the assumption that platform security alone is sufficient. Effective mobile security requires continuous validation that the app, device, and runtime environment can be trusted before sensitive actions are allowed to proceed.

When you can’t trust the operating environment, it’s important to move beyond basic client-side app hardening toward a more comprehensive, multi-layered approach:

• Mitigate accessibility vulnerabilities: Build internal detection mechanisms capable of auditing active accessibility services running on the smartphone. If an unverified or suspicious accessibility service is running, apps should dynamically restrict data entry or block high-risk transaction modules.
• Ensure APIs are protected: Don't rely solely on the device to declare that it is safe. Leverage server-side validation capabilities (like mobile app attestation) to verify that the app communicating with your backend APIs is genuine, unmodified, and free of runtime hooks.
• Leverage established frameworks: Avoid inventing proprietary security standards. Refer to open security documentation like the OWASP Mobile Application Security (MAS) project for standardized, open-source testing blueprints, threat verification code, and defensive architectures.

To learn more about how Guardsquare provides mobile app security solutions across the SDLC, contact us here.