XPoint / BetRivers PA: iOS RDP, Tailscale macOS RDP, and rooted Android mock location undetected; standard RDP + FLA blocked
Source. June 16, 2026 weekly sync.
Ticket. CIV-88: BetRivers PA — compliance analysis.
What we tested
A compliance analysis of BetRivers Pennsylvania (XPoint) covering native iOS remote-control methods, Tailscale + macOS native screen sharing, rooted Android with mock-location concealment, and a baseline suite of standard remote-access tools, IP-change detection, Android fake location apps (FLA), and a resigned iOS app.
What happened
| Vector | Result | Notes |
|---|---|---|
| Native iOS RDP (FaceTime + iPhone Mirroring) | ✗ Undetected | Remote operator in an out-of-state location placed bets on the in-state Pennsylvania iOS device. |
| Tailscale + macOS native RDP | ✗ Undetected | Mesh VPN tunneling combined with built-in macOS screen sharing was not flagged. |
| Rooted Android + concealed mock location | ✗ Undetected | Root state and hidden mocked coordinates both went unnoticed; bets and gameplay succeeded from an exclusion state. |
| TeamViewer, AnyDesk, HopToDesk | ✓ Blocked | Standard commercial remote-access utilities were identified and suppressed. |
| IP change detection | ✓ Blocked | IP-based relocation checks fired as expected. |
| Android fake location apps (FLA) | ✓ Blocked | Geolocation manipulation frameworks were detected before wagering. |
| Resigned iOS app | ✓ Blocked | Tampered iOS binary was rejected. |
Why it matters
Three high-impact vectors — iOS screen sharing, Tailscale-based macOS RDP, and root-concealed mock location — all succeeded on the same operator while the "standard toolkit" checks passed. That pattern suggests detection tuned to known commercial RDP signatures and common FLA tools, but blind to native OS remote-control channels and Magisk-level telemetry suppression. The iOS and Tailscale gaps are especially material given prior undetected Tailscale findings on other XPoint deployments.
Cross-reference
- BetRivers PA (XPoint) — advanced spoofing review: Tailscale macOS RDP, Magisk mock-location suppression, FaceTime handoff (June 23, CIV-88) — follow-up cycle on the same operator and ticket.
- RSI BetRivers NJ (XPoint) — Tailscale RDP inconsistent (May 19, CIV-73) — same Tailscale class of attack, different state.
- Bet365 MI (XPoint) — RustDesk launch-order flaw (June 2, CIV-64) — another XPoint desktop RDP gap in the same test window.