Skip to main content

2 posts tagged with "ciV-89"

View All Tags
MissedGPS spooferRemote accessResigned / tampered app

OpenBet / Fanatics MI: GPS simulator + TeamViewer iOS screen mirroring undetected, bets placed from Tennessee (iOS resigned app detected)

OpenBetFanatics Sportsbook
openbetfanatics-migps-simulatorteamviewerrdp

Source. June 8, 2026 weekly sync.
Ticket. CIV-89: Fanatics / OpenBet Locator — spoofing testing updates.

What we tested

Follow-up testing this week extended our remote-access findings on Fanatics to additional methods and states. On the Fanatics MI app (OpenBet Locator) we exercised three vectors: an iOS resigned app, a GPS simulator, and TeamViewer screen mirroring of the iOS device — with the controlling operator located in Tennessee.

What happened

  • iOS Resigned App — detected. Geolocation failed as expected. However, the error message returned blank, making it difficult to identify the specific detection trigger.
  • GPS Simulator — not detected. The tester logged into the Michigan app, placed bets, and launched and played casino games — all from Tennessee.
  • TeamViewer screen mirroring (iOS, MI) — not detected. Full remote control of the iOS device was achieved via TeamViewer; real-money bets were placed on the Michigan app from Tennessee.

Why it matters

Two independent vectors — a GPS simulator and TeamViewer screen mirroring — each let an out-of-state user place real-money bets on Fanatics MI from Tennessee. The resigned-app check fired, but the blank error message is itself a UX/diagnostic gap: it confirms a block without surfacing the reason, which makes triage and rule attribution harder. A sophisticated fraudster only needs one of the two undetected paths to wager from outside the licensed state.

Cross-reference

OpenBet profile → · June 8 weekly sync →

PartialRemote access

OpenBet / Fanatics TN: HopToDesk remote session connects, but the Place Bet button is hidden from the remote operator

OpenBetFanatics Sportsbook
openbetfanatics-tnrdphoptodeskremote-control

Source. June 8, 2026 weekly sync.
Ticket. CIV-89: Fanatics / OpenBet Locator — spoofing testing updates.

What we tested

The Tennessee half of the Fanatics remote-access retest: HopToDesk remote control on Android against the Fanatics TN app (OpenBet Locator), with the remote operator driving the in-state device.

What happened

  • ⚠️ Remote-control session established. HopToDesk connected and the remote operator had full control of the Android device — the session itself was not blocked.
  • Place Bet button hidden from the remote operator. Bets could not be placed remotely without local (in-person) interaction on the device.

Why it matters

A partial outcome. The remote-access tool was not detected or blocked outright, but the wagering action was withheld from the remote session, so the fraud could not be completed remotely. The protection is not consistent across states and tools, though: on Fanatics MI this week, TeamViewer screen mirroring allowed full remote betting from Tennessee. An attacker who can supply even brief local interaction — or who finds a tool/state combination without the hidden-button behaviour — may still get through.

Cross-reference

OpenBet profile → · June 8 weekly sync →