They should combine app telemetry, device posture, and behavioural signals rather than relying on login success alone. Look for overlay activity, remote control patterns, unusual touch behaviour, and suspicious accessibility service use. The goal is to detect when a legitimate session is being operated by malware, not by the enrolled user.
Why This Matters for Security Teams
When the device is compromised, mobile fraud is no longer a simple identity problem. A valid login can be executed by malware, an attacker in a remote-control session, or an accessibility abuse chain that never touches the user’s normal behaviour. That is why device trust, app integrity, and behavioural telemetry have to be evaluated together. NHI Mgmt Group notes in the Ultimate Guide to NHIs — Why NHI Security Matters Now that 79% of organisations have experienced secrets leaks, with 77% causing tangible damage, which is a reminder that compromised execution paths are often where fraud begins.
This also aligns with NIST Cybersecurity Framework 2.0, which pushes teams to detect and respond using continuous signals rather than static trust decisions. For mobile fraud, the practical risk is that authentication can succeed even when session control has already been lost. In practice, many security teams discover compromised-device fraud only after account takeover, payment abuse, or mule activity has already moved through an otherwise legitimate session.
How It Works in Practice
The strongest approach is layered detection. Start with app telemetry that can distinguish normal human interaction from automated or intercepted use. Then add device posture, such as jailbreak or root indicators, emulator signals, OS integrity checks, and signs that the device has been tampered with. Finally, combine those with behavioural signals that are difficult for malware to mimic consistently, including touch cadence, navigation timing, keystroke rhythm, and session path anomalies.
Security teams should also watch for indicators that the user interface is being mediated by something else. Common examples include overlay activity, hidden screen capture, suspicious accessibility service use, repeated foreground changes, remote assistance patterns, and abrupt context switches between apps. These are not definitive on their own, which is why current guidance suggests using risk scoring rather than single-signal blocking. The 52 NHI Breaches Analysis shows how compromised identities often evade notice when defenders rely on one control layer instead of correlated evidence.
- Score the session continuously, not only at login.
- Treat accessibility service abuse and overlay detection as high-signal fraud indicators.
- Use device attestation where available, but do not assume attestation alone proves user presence.
- Correlate app, network, and device events before triggering step-up or blocking.
- Separate low-risk browsing from high-risk actions such as payout, enrolment, or credential changes.
For implementation maturity, teams can compare their telemetry strategy with the NHI Lifecycle Management Guide, because the same principle applies: trust should be issued, monitored, and withdrawn based on state, not assumption. These controls tend to break down when legacy mobile apps cannot observe accessibility abuse or when fraud tooling is operating at the device layer beneath the app’s visibility.
Common Variations and Edge Cases
Tighter fraud controls often increase user friction and operational cost, so teams have to balance false positives against the damage caused by missed compromise. That tradeoff becomes especially important for high-value transactions, where a cautious challenge can be justified, but broad blocking can disrupt legitimate users and create support burden.
There is no universal standard for this yet, but best practice is evolving toward adaptive policies. For example, a rooted device with clean behaviour may warrant monitoring, while a normal-looking device showing overlay and accessibility anomalies may deserve immediate step-up verification or session termination. Teams should also be careful with managed devices, where enterprise controls can mask local compromise, and with fraud farms that use emulators, cloned devices, or relay attacks to produce plausible-looking signals.
The Top 10 NHI Issues is useful here because it reinforces a broader lesson: visibility gaps are usually the real problem, not just weak authentication. For additional context on attack evolution, the Anthropic report on AI-orchestrated cyber espionage shows how automation can scale abuse patterns faster than manual review can react. Current guidance suggests tuning rules by transaction risk, device trust, and user history rather than using a single compromised-device threshold for every flow.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is needed to spot compromised-device fraud signals. |
| NIST AI RMF | Risk-based decisioning fits adaptive fraud detection under uncertainty. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived secrets reduce damage when a device session is hijacked. |
Instrument mobile sessions with ongoing telemetry and alert on suspicious posture or behavior shifts.
