Darwinium updates mobile SDKs to spot scam activity

Darwinium has updated its Android and iOS mobile software development kits to detect scam activity and account farming during app sessions. The changes are aimed at banks, payment providers and other digital businesses.

The update extends fraud checks beyond login or payment by monitoring what happens during a live mobile app session. The software can identify signs linked to remote-access scams, including live calls on collaboration services and screen-sharing activity that may indicate an attacker has gained influence or control.

The revised mobile tools can detect live calls on Google Meet, Microsoft Teams and Slack huddles, which fraudsters increasingly use to coach victims in real time. The system can also distinguish between different forms of screen sharing, such as a Google Cast session to a television and a TeamViewer session that could hand control to a third party.

That matters for fraud teams because many checks still focus on a single point in the customer journey, such as authentication or payment approval. Darwinium is instead pushing a model that watches for changes in risk after a user has already passed those earlier checks.

"Most fraud platforms validate trust at a single moment, typically at login or payment, through device binding, authentication, or a step-up challenge," said Alisdair Faulkner, Chief Executive Officer and Co-Founder of Darwinium.

"But agentic-fueled mobile fraud doesn't happen at specific moments. It happens everywhere, in a complex path of subterfuge. A customer who has legitimately authenticated can still be coached, coerced, or silently observed into moving money. Even behavioral biometrics, when applied as a single check, can miss the moment a screen share starts, or a remote-access tool is activated mid-journey."

Account farming

The updated SDKs also target account farming, in which fraudsters operate many accounts from the same device or environment. The tactic has implications across banking, gambling, gaming, eCommerce and fintech, where it can support mule networks, collusion, promotion abuse and attempts to evade geographic rules.

Darwinium says it can now identify several device-evasion methods used in those operations, including app cloning, multiple user profiles on one handset, mock locations and GPS spoofing, and emulator use.

One focus is iOS apps running on macOS through PlayCover, which Darwinium described as a growing route for scaling mobile fraud from desktop environments. The software also checks app integrity through component hashes to identify repackaged, modified or cloned applications used to run parallel sessions.

Banks in Southeast Asia are already using these methods to investigate mule activity, according to Darwinium. One banking customer linked more than 10,000 mule accounts to underlying devices by combining device intelligence with forensic analysis.

Single risk view

The mobile SDKs sit within Darwinium's broader fraud prevention platform, which combines device, behavioural and identity data across customer interactions. The goal is to give fraud teams a continuous view of risk across mobile apps, websites and application programming interfaces, rather than treating device checks as a standalone process.

That approach reflects a wider shift in fraud prevention as criminal groups use social engineering, remote-access tools and automation to move attacks through several stages of a customer journey. In those cases, a session that begins with a legitimate user and device can still become risky later if another party starts directing actions behind the scenes.

For banks, this is especially relevant in authorised push payment scams and mule account activity, where the challenge is often to detect manipulation before money leaves the account. For digital platforms outside finance, the same underlying device behaviours can point to incentive abuse, multi-accounting and jurisdictional evasion.

The updated Android and iOS SDKs are available immediately to existing Darwinium customers. The aim is to show businesses what is happening during a session, rather than only verifying who started it.