Location spoofing is any technology that allows users to manipulate the location data shared by their device. This technology is used for various purposes, such as maintaining privacy or accessing location-based features of an application when outside of the allowed jurisdiction. Location spoofing tools either send out false GPS signals from the user’s device or use software to make it appear as if the device is located elsewhere.
Anyone can pay to access location spoofing tools. However, they are primarily used by bad actors to violate the terms of use of an application, such as by illegally accessing content, such as games or television shows, or for personal gains, such as accessing better deliveries or completing fake deliveries. Location spoofing allows bad actors to conceal their true location to circumvent different app features. If fraudsters can hide or change their location, they can sidestep security, trust & safety terms of use and fraud prevention measures that rely on simple location signals. Most legacy fraud prevention systems leverage IP addresses or GPS coordinates as risk decisions engine. Spoofing enables these bad actors to bypass location checks and more easily commit fraud.
You can learn more about this topic in the podcast below where Andre Ferraz (CEO and Founder at Incognia) and Felipe Cerqueira (Head of Global Operations at Rappi) talk about who is spoofing your location.
Spoofing location allows bad actors to commit many policy violations and fraud on digital platforms. Many mobile apps, for example, leverage location signals by a user's mobile phone to detect a user's whereabouts and provide a better service. It is helpful for swindlers to spoof their location so the app does not notice their actual behavior, allowing them to transgress some of the app's policies.
Below are some examples of scams in various industries.
Food delivery is one of the primary industries where location spoofing is used to violate policies and commit fraud.
There are various ways bad-intentioned individuals try to scam food delivery apps, and these scams can happen on both the consumer and courier sides. Specifically, couriers are using GPS spoofing apps on their mobile devices to fake their location and trick the food delivery driver app into allowing them to accept deliveries they otherwise would not have access to based on actual location.
A courier may also spoof their location to access unfair advantages or to commit the following types of fraud:
Couriers might root / jailbreak / emulate their devices:
Policies are also abused on the consumer app, such as creating multiple accounts to commit promotion and coupon abuse.
Location spoofing tools are typically leveraged by fraudsters trying to hide their actual location and commit various financial fraud types, such as:
In mobile skill games, one of the most widespread fraud schemes involving location spoofing is “collusion” between players: fraudsters use hundreds of mobile devices to collude, sharing cards and game information to defraud other players' mobile gaming apps.
GPS spoofing is a form of location spoofing, but there are other forms of location spoofing aside from GPS spoofing. Location spoofing and GPS spoofing serve the same purpose, fake the actual location of a device, but they work differently.
Unlike location spoofing, which makes it appear as if a device is in another place without actually changing its actual location, GPS spoofing changes the appearance of where a device is located by sending out false signals that override the real ones coming from satellites. This technology requires specialized equipment and knowledge of configuring it effectively or simply using GPS spoofing apps, readily available in app stores.
Fraudsters and legitimate users use proxies and VPNs to hide their IP addresses through a remote computer connection.
A critical difference between a proxy and a VPN is that a proxy runs at the application level, while a VPN runs at the operating system level.
Most fraud prevention technologies use the IP address to locate the user’s device, but the use of VPNs and proxies can easily fool these
types of fraud detection systems and thereby conceal the user’s true location.
After the boom of ride-sharing apps and location-based massively multiplayer online role-playing games (MMORPGs), GPS spoofing applications have become widely available. These apps enable gamers to fake their position for an unfair in-game advantage and enable fraudsters to fake their location and fool fraud detection systems.
Aside from gaming, GPS spoofing is leveraged in several other activities by bad actors trying to conceal their actual location.
Most fraud prevention technologies use the GPS location to locate the user’s device, but GPS spoofing apps can now fool these systems. Fraudsters don’t even need to root their devices or have super admin privileges to use spoofing apps. Bad actors can now spoof their GPS signals as easily as downloading an app to their device and activating it.
An emulator is a standard tool developers use to test mobile applications from a computer without needing to deploy the app into a mobile device. Fraudsters also use emulators to manipulate application data. Geolocation data is one category that an emulator can easily manipulate. While instrumentation tools, such as Frida, a dynamic code instrumentation toolkit, are primarily used by testers and developers, fraudsters use the tool to fool fraud prevention systems.
App tampering is the process of modifying the compiled code of an application. By inserting custom code into the source code of an application, bad actors can interrupt communication between the operating system and application to report fake locations.
There are several ways to fake GPS locations, but most involve using software or apps that allow you to change your phone's location. Here are a few standard methods:
1. Using a GPS spoofing app: There are many apps available for Android and iOS devices that allow you to change your phone's location. These apps work by sending fake GPS signals to your phone, which tricks it into thinking it is somewhere else.
2. Using a GPS emulator: Some GPS emulators allow you to simulate a specific location on your computer, which can then be transferred to your phone via a USB connection. It's important to note that faking your GPS location is generally considered a violation of the terms of service for many apps and websites and can also be illegal in certain circumstances. Additionally, using these methods to fake your location can have unintended consequences, such as causing your phone to behave erratically or making it difficult to use certain features.
GPS (Global Positioning System) is a system of 30+ navigational satellites. Devices use their signals to pinpoint an exact location. But these signals need to travel 12,550 miles to reach a receiver antenna, meaning they tend to be weak. By using simple radio transmitters, it is possible to emit signals to GPS receivers - such as smartphones - which could easily be more robust and precise than satellite signals due to the shorter distance between the transmitter and receiver. The transmitter signal would replace the official GPS signal, and the receiver location could be faked. Most devices and navigational systems are designed to accept the strongest signal, meaning they ignore the genuine signal in favor of the counterfeit one. Nowadays, radio transmitters are cheap online, and GPS spoofing apps are vastly available for Android devices, even through the Play Store.
GPS spoofing can be a problem for companies because it can lead to inaccurate location data, which can have severe consequences in specific industries. For example:
In general, detecting GPS spoofing is important for companies because it helps them ensure the accuracy and integrity of their location data, which is essential for many business processes.
GPS spoofing is a severe problem for companies, as it can lead to costly errors and losses due to inaccurate positioning data. Detecting GPS spoofing is essential because it can be used for various malicious activities.
By spoofing their location, attackers can compromise sensitive accounts guarded by location as a security signal, convincing apps that they are connected from a legitimate source instead of a malicious one. By detecting GPS spoofing, companies can enhance security and prevent malicious actors from fooling their controls. Companies should ensure they have sufficient security measures to detect any attempts at GPS spoofing before it becomes too late.
There are several ways that fake GPS locations can be detected:
Using multiple sources of location data: By cross-referencing location data from multiple sources, such as GPS, Wi-Fi, and cell tower triangulation, it can be easier to detect fake GPS locations.
Analyzing location data patterns: Abnormal patterns in location data, such as sudden jumps in location or unrealistic speeds, can indicate that the data is fake.
Comparing location data to known landmarks: Comparing the location data to known landmarks, such as buildings or roads, can help verify its accuracy.
Using a GPS simulator: Some can test for fake GPS locations by simulating different locations and comparing the resulting data to what is expected.
Using specialized software: There are also specialized software tools available that can detect fake GPS locations by analyzing various aspects of the data, such as the strength and quality of the GPS signal.
It's important to note that detecting fake GPS locations can be challenging and may require combining these methods. Additionally, it's important to remember that the methods used to detect fake GPS locations may vary depending on the specific use case and the available resources.
While detecting fake GPS locations can sometimes require specialized tools and technologies, the most effective way to detect if the holder of a mobile device is faking a GPS signal is by detecting the installation of a GPS spoofing app.
Many companies try to check for the installation of GPS spoofing apps, but it takes effort to keep up with novelties from fraudsters' creativity. Also, aside from GPS spoofing, it is essential to check for many other possible forms of location spoofing.
Incognia analyzes the integrity of each device to determine whether it is manipulating the data provided to the client-side application. Devices that are rooted or jailbroken, running a GPS spoofing application, or being emulated pose a significant security risk to the trust and safety of a digital community.
Whether the user is opening an account, entering a mobile game, or cashing out their winnings, Incognia detects device integrity anomalies.
Incognia checks whether the device has been tampered with, has location spoofing enabled, or is running on an emulator.
Interactions with devices that have been tampered with or are manipulating the data they pass to the client app will be flagged as risky by Incognia.
Given the easy access to location spoofing techniques and the increasing usage of fintech and e-commerce apps, it’s time for companies to upgrade fraud detection based on GPS or IP location. Today, fraudsters fool fraud detection systems by relying only on GPS or IP addresses for location-based risk assessments. Incognia location technology uses network signals, including GPS, Cellular, Wi-Fi and Bluetooth, and motion sensors, to provide highly accurate location behavior intelligence that is extremely difficult to spoof. Using the location sensor data from the device, Incognia uses several key location behavior concepts as the basis for Incognia’s location identity, which makes it extremely difficult for fraudsters to fake their location and go undetected. Combined, these location concepts establish trusted locations and location patterns for users that are part of Incognia’s risk assessments.
To use Incognia location technology for fraud detection and location spoofing detection within a mobile app, Incognia is deployed as a lightweight SDK and APIs that deliver a risk assessment with detailed evidence. Users of the app must also enable location permissions on their devices. In the network of 100 million devices with Incognia deployed, we see very high rates of users opt-in for using location permissions for fraud prevention. Best practices on messaging for location permission show that when the description of why the location is used is clear and provides direct value to the user, opt-in rates are high. The acceptance percentage will be smaller if the permission request is hidden or linked to a feature that does not give real value. Incognia detects location points and collects location data solely to protect the user and prevent fraud.
Each location has a unique signature of GPS coordinates and available WiFi, Bluetooth, and cellular network signals. Incognia maps and correlates these signatures to create unique environments and uses this information to identify a device's location with high precision and accuracy, even indoors.
Each user has a unique location behavior pattern, like a location fingerprint, that comprises frequently visited locations specific to that user. As the user moves location, this location fingerprint is constantly changing and updating, making it extremely difficult to mimic or forge.
The highly frequented locations by the user and device are classified as the user’s trusted locations. When Incognia detects that a user is in a trusted location, there is a higher probability of the transaction being legitimate and a lower risk for fraud.
Incognia uses geofencing and activity recognition techniques to detect if a device has significantly displaced its position. By scanning Wi-Fi and Bluetooth signals, Incognia can detect displacements in position and confirm that the device is at a different location or returning to an already mapped location without pulling GPS coordinates every time. This technique also minimizes battery consumption on the device to 0.5% in 24 hours.
Incognia location technology is deployed in over 100 million devices providing a powerful network effect. Devices and locations associated with fraud or suspicious behaviors are added to the Incognia Behavior Watchlist. As a customer of Incognia, any device or location on the watchlist will be indicated in the evidence list. This information will be used in the risk assessment.