Skip to main content

6 posts tagged with "gps-simulator"

View All Tags
MissedGPS spooferRemote accessResigned / tampered app

OpenBet / Fanatics MI: GPS simulator + TeamViewer iOS screen mirroring undetected, bets placed from Tennessee (iOS resigned app detected)

OpenBetFanatics Sportsbook
openbetfanatics-migps-simulatorteamviewerrdp

Source. June 8, 2026 weekly sync.
Ticket. CIV-89: Fanatics / OpenBet Locator — spoofing testing updates.

What we tested

Follow-up testing this week extended our remote-access findings on Fanatics to additional methods and states. On the Fanatics MI app (OpenBet Locator) we exercised three vectors: an iOS resigned app, a GPS simulator, and TeamViewer screen mirroring of the iOS device — with the controlling operator located in Tennessee.

What happened

  • iOS Resigned App — detected. Geolocation failed as expected. However, the error message returned blank, making it difficult to identify the specific detection trigger.
  • GPS Simulator — not detected. The tester logged into the Michigan app, placed bets, and launched and played casino games — all from Tennessee.
  • TeamViewer screen mirroring (iOS, MI) — not detected. Full remote control of the iOS device was achieved via TeamViewer; real-money bets were placed on the Michigan app from Tennessee.

Why it matters

Two independent vectors — a GPS simulator and TeamViewer screen mirroring — each let an out-of-state user place real-money bets on Fanatics MI from Tennessee. The resigned-app check fired, but the blank error message is itself a UX/diagnostic gap: it confirms a block without surfacing the reason, which makes triage and rule attribution harder. A sophisticated fraudster only needs one of the two undetected paths to wager from outside the licensed state.

Cross-reference

OpenBet profile → · June 8 weekly sync →

DetectedGPS spoofer

OpenBet / Fanatics MI: GPS spoofing hardware detected — new market confirms the TN result ✓

OpenBetFanatics Sportsbook
openbetfanatics-migps-simulatorpositiveciV-48

Source. May 26, 2026 weekly sync.
Ticket. CIV-48: Test Fake Location using GPS Simulator Accessory on Competitor Apps.

What we tested

A hardware GPS-spoofing accessory was used against Fanatics Michigan (OpenBet Locator) — a market not previously exercised on this vector. The TN result from the prior cycle was the benchmark to compare against.

What happened

  • Real-time location-anomaly warning surfaced as soon as the spoofed position diverged from the device's plausible motion model.
  • Session prevented from continuing — wagering blocked.

Why it matters

Two-market confirmation of OpenBet's GPS-simulator handling. The prior Tennessee result is no longer a single-data-point; Fanatics MI now provides an independent replication of the same defensive behaviour against the same hardware vector. This raises confidence that the detection is integration-level rather than a quirk of one operator deployment.

Cross-reference

OpenBet profile → · May 26 weekly sync →

DetectedGPS spooferFake GPS appUX / messaging

OpenBet / Fanatics TN: GPS simulator detected with a specific, informative error message ✓

OpenBetFanatics Sportsbook
openbetfanatics-tngps-simulatorpositiveciV-48

Source. May 19, 2026 weekly sync.
Ticket. CIV-48.

What we tested

The same hardware GPS simulator accessory used against Bet365 MI (Radar) and RSI BetRivers TN (XPoint) this week — applied to the Fanatics Tennessee (OpenBet Locator) deployment.

What happened

Detected and named. The GPS simulator triggered a clear, specific error message:

"Your location has abruptly changed. Please disable apps that alter your device's location and retry."

This is notably more informative than the generic messaging seen at the other operators in the same test cycle — it tells the player exactly what kind of tampering was detected and what to do.

Why it matters

Two things are worth recording here:

  1. OpenBet handles GPS-simulator hardware. This is the third spoofing vector this week where OpenBet's detection held while Radar / XPoint's did not (alongside droidVNC-NG RDP blocked at Fanatics NJ and PlayCover blocked at Fanatics TN).
  2. The UX is materially better. Compare with Radar's generic "Account Locked" messaging on DraftKings DFS NJ this week — same kind of compliance event, two very different player experiences. Specific, actionable error messaging reduces support load and shortens the recovery path for legitimate users.

Cross-reference (GPS simulator across providers this week)

OperatorProviderResult
Bet365 MIRadarBypassed via re-entry
RSI BetRivers TNXPointFully undetected
Fanatics TNOpenBet Locator✓ Detected with specific error (this finding)

OpenBet was the only provider to handle this vector cleanly this cycle.

OpenBet profile → · May 19 weekly sync →

MissedGPS spooferFake GPS app★ Pinned

Radar / Bet365 MI: GPS simulator accessory bypass, restriction not re-applied on re-entry

Radarbet365
radarbet365-migps-simulatorciV-48

Source. May 19, 2026 weekly sync.
Ticket. CIV-48: Test Fake Location using GPS Simulator Accessory on Competitor Apps.

What we tested

A hardware GPS simulator accessory was used to spoof the tester's physical location while connecting to Bet365 Michigan (Radar deployment) from Tennessee.

What happened

  • First login attempt — an error was returned (location restriction triggered).
  • Second login attempt — succeeded with no further location checks enforced. The tester opened a casino game and placed real-money bets from Tennessee.
  • The restriction that appeared on the first login was not re-applied on re-entry — the bypass is repeatable.

Why it matters

This is a structural detection failure, not a one-off bug: the GPS simulator was identified once, then the operator's session state effectively whitelisted the device. Anyone who has triggered a restriction once can simply log out and back in to bypass it.

Combined with the Bet365 NJ Tailscale RDP gap confirmed in the same week, Bet365's Radar integration is producing two distinct, easily-reproducible spoof methods across two different states.

Cross-reference

  • GPS simulator at FanDuel WV (Radar) — previously bypassed from Vietnam (March 24, 2026). The GPS-simulator gap is not new and not WV-specific.
  • PlayCover at Bet365 MIblocked the same week. Bet365 catches the iOS-on-Mac vector but misses the hardware-GPS vector.
  • GPS simulator at Fanatics TN (OpenBet)detected with a clear, specific error message. OpenBet handles this vector; Radar does not.

Radar profile → · May 19 weekly sync →

MissedGPS spooferFake GPS app★ Pinned

XPoint / RSI BetRivers TN: GPS simulator fully undetected, MI casino bets from Tennessee

XpointRushStreet Interactive (BetRivers)
xpointrsi-betriversgps-simulatorciV-48

Source. May 19, 2026 weekly sync.
Ticket. CIV-48: Test Fake Location using GPS Simulator Accessory on Competitor Apps.

What we tested

A hardware GPS simulator accessory was used against the RSI BetRivers Tennessee (XPoint) deployment.

What happened

The GPS simulator went fully undetected — no first-login error, no session-mid restriction. The tester logged into the Michigan app from Tennessee and played a casino game with no errors or restrictions triggered at any point.

Why it matters

This is the cleaner-cut version of the Bet365 MI Radar gap on the same vector this week. Where Bet365 (Radar) flagged the simulator on first login and then forgot about it, RSI BetRivers (XPoint) never flagged it at all.

This is also consistent with our standing position on XPoint's unsigned iOS SDK (March 24): the SDK ships with a public GPS injection method and can be patched to inject coordinates before every compliance check. A hardware GPS-simulator accessory is a more expensive way to achieve the same outcome — and it still works.

Cross-reference

XPoint profile → · May 19 weekly sync →

MissedGPS spoofer★ Pinned

Radar / FanDuel WV bypassed by GPS simulator device from Vietnam

RadarFanDuel
radargps-simulatorfanduel-wv

What we tested. FanDuel West Virginia, Radar-instrumented mobile app, real device with a hardware GPS-simulator attached. Tester's actual location was Vietnam.

What happened. Radar accepted the spoofed coordinates and allowed geolocation verification to succeed. A hardware GPS simulator should be the most obvious off-the-shelf attack and is exactly what the regulator expects a compliance product to catch.

Why it matters. This is the entry-level attack class. If a hardware GPS simulator clears Radar in a regulated US sportsbook deployment, every sophistication-tier attack we've subsequently tested has an obvious predecessor.

Radar profile → · Test matrix →