6 posts tagged with "fanduel-wv"

Source. May 11, 2026 weekly sync.
Test evidence (internal Drive): PlayCover videos · FD WV: Spoofing Tests

What we tested​

Three distinct exploitation methods against the FanDuel WV (Radar) deployment, from Tennessee:

1. iOS app resigning — re-signed FanDuel iOS app with security controls bypassed.
2. Virtualised environment emulation via VMOS — Android device-farm environment running a cloned profile.
3. Sideloading via PlayCover on ARM-based macOS — iOS app loaded on Apple Silicon Mac via PlayCover.

What happened​

All three succeeded. Each technique facilitated out-of-state betting on the WV app. Critical and persistent failure to prevent unauthorized access or potential multi-accounting activities.

Cross-reference — same vectors, different results elsewhere​

• iOS app resigning was detected at Bet Saracen AR on April 7 — see Radar / Saracen AR: resigned iOS app detected. The gap is FD-WV-specific or build-specific.
• PlayCover was detected at Bet365 MI, Fanatics TN, and Bet Saracen AR on the same day — see cross-operator PlayCover blocked. FD WV is the outlier.
• VMOS is also undetected at Bet Saracen AR — see Bet Saracen AR: VMOS not detected. The Android device-farm gap is wider than just FD WV.

Radar profile → · May 11 weekly sync →

Source. April 7, 2026 weekly sync.

What we tested. Repeat of the March 31 VMOS Android device-farm test on FanDuel WV.

What happened. VMOS usage was not detected this time. The tester placed bets from Tennessee on the West Virginia app.

Why it matters. Two consecutive weeks, opposite results on the same vector + operator combination. Either:

• Radar's device-farm detector has regressed between the two Android build releases the tests targeted, or
• The detector is flaky / instrumentation-sensitive — which is worse, because operators can't rely on what'll happen on any given session.

Cross-reference: VMOS also went undetected at Bet Saracen AR on May 11. The pattern is "VMOS Android catches some sessions, misses others" — not a stable detection posture.

Radar profile → · March 31 positive result → · April 7 weekly sync →

Source. March 31, 2026 weekly sync.

What we observed. Radar is allowing proxy betting and just asks the user to wait some additional time if someone else used the account in another location.

Why it matters. Two problems here:

1. Reactive, not preventive. A proxy-routed session gets through; the only consequence is a delay before the next session.
2. Misleading error messaging. Subsequent enforcement provides "account sharing" messaging instead of clear regulatory restrictions — which risks encouraging illegal workarounds like proxy usage (the user thinks they got flagged for sharing, not for masking location).

Combined with the FanDuel WV state-selector vulnerability (TN user initially verified on the WV platform — reactive rather than proactive validation), this is the same architectural problem expressed two ways: Radar's compliance posture is reactive.

Radar profile → · March 31 weekly sync →

What we tested. Re-signed iOS FanDuel app, modified to bypass security controls. Tester located in Tennessee, targeting the FanDuel WV platform.

What happened. The modified build successfully placed bets from out-of-state. Radar failed to detect the modification.

Cross-reference. Contradicts the Apr 7 result at Bet Saracen AR, where Radar DID detect a re-signed iOS app with appropriate error messaging. Re-signed iOS detection is inconsistent across operators — fix one, the other still fails.

Why it matters. App-resigning is a well-known attack class. A regulator audit that includes a tampered-app test will not accept an inconsistent result.

Radar profile →

Source. March 31, 2026 weekly sync — Field Testing section.

What we tested. VMOS (virtual Android OS) device-farm scenario on the FanDuel WV Android app (Radar-instrumented). Spun up a virtualised device profile and attempted to wager.

What happened. Radar successfully identified the virtual OS environment used to manipulate device integrity. Detection fired.

Why it matters. This is a genuine positive Radar result — worth recording for parity. The sales narrative is honest: Radar catches some device-farm attacks but not all of them. Cross-reference the April 7 weekly: on the second attempt, VMOS was not detected, allowing bets from TN on the WV app — pointing to either a regression or a flaky/instrumentation-sensitive detector. Follow-up validation is scheduled pending the next Android app release.

Radar profile → · March 31 weekly sync → · April 7 weekly sync (regression) →

What we tested. FanDuel West Virginia, Radar-instrumented mobile app, real device with a hardware GPS-simulator attached. Tester's actual location was Vietnam.

What happened. Radar accepted the spoofed coordinates and allowed geolocation verification to succeed. A hardware GPS simulator should be the most obvious off-the-shelf attack and is exactly what the regulator expects a compliance product to catch.

Why it matters. This is the entry-level attack class. If a hardware GPS simulator clears Radar in a regulated US sportsbook deployment, every sophistication-tier attack we've subsequently tested has an obvious predecessor.

Radar profile → · Test matrix →