Skip to main content

4 posts tagged with "android"

View All Tags
PartialRemote access

OpenBet / Fanatics TN: HopToDesk remote session connects, but the Place Bet button is hidden from the remote operator

OpenBetFanatics Sportsbook
openbetfanatics-tnrdphoptodeskremote-control

Source. June 8, 2026 weekly sync.
Ticket. CIV-89: Fanatics / OpenBet Locator — spoofing testing updates.

What we tested

The Tennessee half of the Fanatics remote-access retest: HopToDesk remote control on Android against the Fanatics TN app (OpenBet Locator), with the remote operator driving the in-state device.

What happened

  • ⚠️ Remote-control session established. HopToDesk connected and the remote operator had full control of the Android device — the session itself was not blocked.
  • Place Bet button hidden from the remote operator. Bets could not be placed remotely without local (in-person) interaction on the device.

Why it matters

A partial outcome. The remote-access tool was not detected or blocked outright, but the wagering action was withheld from the remote session, so the fraud could not be completed remotely. The protection is not consistent across states and tools, though: on Fanatics MI this week, TeamViewer screen mirroring allowed full remote betting from Tennessee. An attacker who can supply even brief local interaction — or who finds a tool/state combination without the hidden-button behaviour — may still get through.

Cross-reference

OpenBet profile → · June 8 weekly sync →

MissedRemote access

OpenBet / Fanatics: Mac-to-Android remote control undetected, bets placed

OpenBetFanatics Sportsbook
openbetfanaticsrdpremote-controlandroid

Source. June 2, 2026 weekly sync.
Ticket. CIV-79: Fanatics — Mac-to-Android remote control (OpenBet).

What we tested

A cross-platform variant of the remote-control fraud pattern: a tool allowing a Mac laptop to remotely control an Android phone from a different network was used to place bets on Fanatics (OpenBet). The phone sat inside the permitted state; the controlling Mac did not.

What happened

  • OpenBet did not detect the remote-control session during a sustained test.
  • Bets were placed on Fanatics through the remotely-controlled Android device.

Why it matters

This extends the week's remote-control gap beyond macOS↔macOS to a desktop→mobile path. The same "proxy device inside the state" risk applies: a user outside a licensed state bets through a device that is physically in-state. Confirming the gap on a third integration (after Radar/Underdog and XPoint/Bet365 NJ) makes it a campaign-level concern rather than a single-vendor quirk.

Cross-reference

OpenBet profile → · June 2 weekly sync →

PartialRemote accessNear border

OpenBet / Fanatics MI: HopToDesk remote control undetected on Android (TeamViewer + AnyDesk blocked)

OpenBetFanatics Sportsbook
openbetfanatics-mirdphoptodeskteamviewer

Source. June 2, 2026 weekly sync.
Ticket. CIV-64: MI advanced spoofing retest.

What we tested

During advanced spoofing retests near the Michigan–Canada border, the team tested several remote-control applications on Android against the Fanatics MI app (OpenBet), plus iOS screen sharing for comparison.

What happened

  • HopToDeskNOT detected at installation or during an active remote session on Android. Bets were placed consistently while a remote user was in control.
  • TeamViewer — detected and blocked.
  • AnyDesk — detected and blocked.
  • iOS FaceTime screen sharing — detected near the border.

Why it matters

This is a known detection gap for a specific tool, not a blanket failure: the two most common remote-access apps (TeamViewer, AnyDesk) are caught, and FaceTime screen sharing is caught on iOS — but HopToDesk slips through entirely on Android. A sophisticated fraudster who identifies this specific gap can use it to circumvent geolocation checks on Fanatics in Michigan while the obvious tools stay blocked.

Cross-reference

OpenBet profile → · June 2 weekly sync →

MissedVPNFake GPS appEmulator

High Flyer Casino TN: location spoofing succeeds on iOS + Android — bets placed from outside Tennessee, blocks only enforced at game level

GeoLocsHigh Flyer Casino
geolocsmkodohighflyer-tniosandroid

Source. May 26, 2026 weekly sync.
Ticket. CIV-52: Ontario — mkodo / GeoLocs — Compliance Failures & Retest (Casumo, High Flyer, OLG).

What we tested

Whether High Flyer Casino (Tennessee) could be accessed and wagered on from outside the licensed state using common consumer-grade spoofing combinations:

  • iOS — Safari + iAnyGo location-spoofing tool + VPN.
  • Android — equivalent setup.
  • iOS Emulator — for comparison against the native iOS path.

What happened

  • iOS path succeeded. Bets placed from outside Tennessee with no website-level block.
  • Android path succeeded. Same outcome.
  • iOS Emulator test produced identical results to native Android — the platform does not differentiate the emulated environment.
  • Some individual games returned location errors — but this enforcement comes from the game providers themselves, not from the sportsbook integration. Coverage is therefore inconsistent and per-title rather than per-jurisdiction.

Why it matters

The geolocation controls at the platform level are effectively absent for this operator on the most common consumer spoofing toolchain (VPN + commodity iOS spoofer). When detection does fire, it fires from game providers rather than from the operator's compliance layer — meaning enforcement depends on which game the user happens to open, not on a coherent jurisdictional decision.

Cross-reference

GeoLocs profile → · May 26 weekly sync →