Notifications
Clear all
Topic starter
12/06/2026 9:40 pm
TL;DR: Mobile threats are increasingly using the device itself, not just the app, to drive fraud in real time through Android malware, accessibility abuse, NFC relay tricks, and socially engineered installs, according to OneSpan and ThreatFabric. The governance challenge is visibility inside trusted sessions, where abnormal behaviour can look like normal user activity until money or credentials move.
NHIMG editorial — based on content published by OneSpan: Our phones as double agents, unmasking the mobile threats in our pockets
By the numbers:
- Attackers attempt access within an average of 17 minutes when AWS credentials are exposed publicly, and as quickly as 9 minutes in some cases.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should teams detect mobile fraud when the device itself is compromised?
A: They should combine app telemetry, device posture, and behavioural signals rather than relying on login success alone.
Q: Why do compromised phones create more risk than simple credential theft?
A: A compromised phone can execute actions inside a live trusted session, which lets attackers move from stolen credentials to real-time transaction control.
Q: What do security teams get wrong about mobile malware and identity risk?
A: They often stop at authentication and overlook what happens after login.
Practitioner guidance
- Instrument device posture and interaction telemetry Collect signals for overlay usage, abnormal touch cadence, accessibility service abuse, and signs of remote control before a transaction is completed.
- Treat sideloading and disguised apps as identity risk inputs Block or step up review for mobile app distribution paths that bypass normal trust controls.
- Separate credential verification from session trust Do not assume a valid login means a trustworthy session.
What's in the full article
OneSpan's full blog post covers the operational detail this post intentionally leaves for the source:
- Webinar context and the ThreatFabric discussion that frames the mobile threat landscape
- Concrete malware behaviours on Android, including accessibility abuse and remote control
- Examples of AI-assisted fraud distribution and targeted social engineering patterns
- NFC relay scenarios for contactless payments, ATM withdrawals, and wallet provisioning
👉 Read OneSpan's analysis of mobile threats, malware abuse, and NFC fraud →
Mobile device threats in app sessions: what should teams watch for?
Explore further
12/06/2026 11:54 pm
Device trust has become a fraud control, not just an endpoint concern. The article shows that modern mobile attacks do not need to break the app if they can influence the device that runs it. That shifts the governance question from login assurance to session integrity, because the handset itself can become the attacker’s operator. For practitioners, the control boundary has moved into the device and behavioural layer.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 97% of NHIs carry excessive privileges, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when a compromised mobile device completes a fraudulent transaction?
A: Accountability usually spans fraud operations, IAM, mobile security, and the business owner of the transaction flow. If the programme treats device integrity as outside identity governance, the control gap is structural. Teams should define ownership for post-authentication session trust before fraud patterns force the issue.
👉 Read our full editorial: Mobile device threats now act inside legitimate app sessions
