Mobile device threats now act inside legitimate app sessions

At a glance

What this is: This is an analysis of how mobile malware and fraud now operate through legitimate device and app sessions, with attackers using Android features, remote control, and NFC relay methods to act in real time.

Why it matters: It matters because IAM, PAM, and fraud teams increasingly need behavioural visibility across device, app, and identity signals, not just authentication outcomes.

By the numbers:

• Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
• Only 5.7% of organisations have full visibility into their service accounts.

👉 Read OneSpan's analysis of mobile threats, malware abuse, and NFC fraud

Context

Mobile threats increasingly work by influencing a trusted device or session rather than defeating a single control outright. In identity terms, that means the attack surface includes the handset, the app, the user interaction model, and the session context all at once.

The article’s central point is that fraud is moving into the space between authentication and action. For practitioners managing human identity, mobile banking, and customer verification, the issue is no longer only whether a login succeeded, but whether the device that produced the session is still trustworthy.

Key questions

Q: How should teams detect mobile fraud when the device itself is compromised?

A: They should combine app telemetry, device posture, and behavioural signals rather than relying on login success alone. Look for overlay activity, remote control patterns, unusual touch behaviour, and suspicious accessibility service use. The goal is to detect when a legitimate session is being operated by malware, not by the enrolled user.

Q: Why do compromised phones create more risk than simple credential theft?

A: A compromised phone can execute actions inside a live trusted session, which lets attackers move from stolen credentials to real-time transaction control. That expands risk from account access to fraud execution, data theft, and payment manipulation. In practice, the device becomes part of the identity control plane.

Q: What do security teams get wrong about mobile malware and identity risk?

A: They often stop at authentication and overlook what happens after login. Mobile malware can abuse legitimate OS features, manipulate the user interface, and complete actions invisibly. That means the real control problem is not only proving identity, but continuously validating the session and the device behind it.

Q: Who is accountable when a compromised mobile device completes a fraudulent transaction?

A: Accountability usually spans fraud operations, IAM, mobile security, and the business owner of the transaction flow. If the programme treats device integrity as outside identity governance, the control gap is structural. Teams should define ownership for post-authentication session trust before fraud patterns force the issue.

Technical breakdown

Android malware and accessibility abuse

Android malware often relies on legitimate platform features instead of application flaws. Accessibility services can read screen content, capture user input, overlay interfaces, and interact with apps programmatically. That makes the malware harder to spot because it behaves through normal OS permissions and expected device workflows. Once remote command-and-control is established, the attacker can alter behaviour in real time, turning the infected phone into an active fraud instrument rather than a passive data source.

Practical implication: mobile risk teams need controls that detect misuse of trusted OS features, not just app-layer anomalies.

Remote device takeover and live transaction control

Device takeover moves the threat from credential theft to operational fraud. Instead of stealing a password and leaving, the attacker uses remote control to open apps, navigate screens, and complete transactions while the victim remains unaware. Because the activity occurs inside a legitimate session, traditional fraud checks can miss the attack if they only examine login success, device reputation, or IP reputation in isolation. The decisive issue is whether the actor controlling the session is still the legitimate user.

Practical implication: session telemetry and behavioural analytics should be evaluated alongside authentication and transaction controls.

NFC relay abuse and payment channel manipulation

Near-field communication attacks use a compromised or controlled device as a relay path for contactless transactions. The victim is manipulated into placing a card and phone in the right position, after which card data can be transmitted in real time to another device for payment, ATM cash-out, or wallet provisioning. This is not just card skimming. It is the abuse of a trusted payment channel through a manipulated endpoint and a live relay sequence.

Practical implication: payment controls should monitor for relay-like interaction patterns and suspicious wallet provisioning behaviour.

Threat narrative

Attacker objective: The attacker wants to convert a trusted mobile device into a fraud execution platform that can move money, capture data, or enable account takeover without obvious user awareness.

1. Entry occurs when the victim installs a disguised Android application or interacts with a social-engineered lure that delivers mobile malware.
2. Escalation happens when the malware abuses accessibility services or remote-control capabilities to gain live control of the device and session.
3. Impact follows when the attacker uses that controlled session to complete banking actions, relay payment data, or exfiltrate stored information for later fraud.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Device trust has become a fraud control, not just an endpoint concern. The article shows that modern mobile attacks do not need to break the app if they can influence the device that runs it. That shifts the governance question from login assurance to session integrity, because the handset itself can become the attacker’s operator. For practitioners, the control boundary has moved into the device and behavioural layer.

Mobile fraud now collapses the separation between identity proofing and transaction execution. A user can authenticate correctly and still be compromised if malware or remote control takes over the session after login. That means IAM teams, fraud teams, and mobile security teams must treat post-authentication behaviour as part of identity assurance, not as a separate problem. The implication is that session context now matters as much as credential strength.

Mobile accessibility abuse is a named control gap, not a generic malware problem. Accessibility services were designed for legitimate usability functions, but they become a fraud mechanism when an attacker can read, overlay, and automate app interaction. That failure mode is specific: trusted OS permissions are being repurposed for covert execution. Practitioners should treat this as a platform governance issue, not just an antimalware detection issue.

Identity and payment programmes need a better concept of device-mediated trust. The article’s strongest lesson is that a valid identity event is no longer enough to establish legitimate intent. When transaction completion can be delegated to a compromised device, the programme must understand who or what is actually operating the session. For practitioners, that means aligning fraud detection, mobile app controls, and IAM telemetry around the same trust model.

From our research:

• Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
• From our research: 97% of NHIs carry excessive privileges, according to Ultimate Guide to NHIs.
• From our research: See the 52 NHI Breaches Analysis for the breach patterns that emerge when identity trust is broader than visibility.

What this signals

Device-mediated trust is becoming the practical limit of mobile identity programmes. Teams that still treat mobile risk as a login problem will keep missing the session-layer manipulation described here. The right next step is to join mobile app telemetry, fraud signals, and identity assurance into one decision path, because the control failure happens after authentication, not before it.

More than 5.7% visibility is still the gap to beat for identity governance maturity, and mobile channels expose why. If your organisation cannot confidently see who or what is acting inside a session, you cannot separate legitimate user behaviour from device-driven fraud. That makes device integrity and behavioural assurance part of the identity programme, not a separate security silo.

Session trust is now the named concept to watch: the point at which a valid login still fails to prove legitimate intent. For mobile banking, wallet provisioning, and contactless payment flows, that means policy must be able to step in before transaction completion when device behaviour diverges from normal use.

For practitioners

• Instrument device posture and interaction telemetry Collect signals for overlay usage, abnormal touch cadence, accessibility service abuse, and signs of remote control before a transaction is completed. Use these signals to enrich mobile session risk scoring rather than relying on authentication success alone.
• Treat sideloading and disguised apps as identity risk inputs Block or step up review for mobile app distribution paths that bypass normal trust controls. If a device can install a malicious tool outside the approved app ecosystem, the identity session that follows should be treated as materially higher risk.
• Separate credential verification from session trust Do not assume a valid login means a trustworthy session. Pair authentication outcomes with device integrity checks, anomaly detection, and transaction-specific step-up policies when the app context shows signs of manipulation.
• Monitor NFC-enabled flows for relay patterns Watch for repeated, fast, or geographically inconsistent contactless payment and wallet provisioning behaviour that suggests a relay or controlled-device workflow. Build review logic that can interrupt the payment flow before completion when device mediation looks abnormal.

Key takeaways

• Mobile malware has moved beyond data theft and now turns trusted phones into active fraud operators inside legitimate sessions.
• The scale of the problem is defined by Android prevalence, real-time remote control, accessibility abuse, and NFC relay techniques that bypass app-layer assumptions.
• Practitioners need to govern device trust, session integrity, and transaction behaviour together, or identity controls will stop too early.

Key terms

• Device-mediated trust: The assumption that a mobile session is trustworthy because the device and user have already authenticated. In practice, a compromised handset can act on behalf of the user after login, so trust must include device integrity, behaviour, and session continuity, not just credential validation.
• Remote device takeover: A fraud technique where malware or attacker tooling controls a phone in real time and performs actions as if the user were present. This turns the endpoint into an execution platform, allowing banking, payment, or data-exfiltration activity to happen inside a legitimate-looking session.
• Accessibility abuse: The misuse of built-in operating system accessibility features to observe the screen, capture input, overlay content, or automate app interaction. The feature is legitimate, but when an attacker controls it, the result is covert session manipulation that is difficult to distinguish from normal device behaviour.
• NFC relay attack: An attack that forwards contactless payment or card data from one device to another in real time, allowing transactions to complete without the physical cardholder’s direct control. It abuses a trusted communication channel and can support payments, wallet provisioning, or ATM cash-out.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by OneSpan: Our phones as double agents, unmasking the mobile threats in our pockets. Read the original.