Sports betting apps targeted by fraud, warns Approov

Approov has warned that sports ticketing and betting apps are an increasing target for fraud tied to abuse of mobile app interfaces. Major sporting events, it said, are creating new opportunities for scams.

The security company argued that consumers can still be defrauded even when they use genuine apps downloaded from official stores. Attacks now target the data, tokens and application programming interfaces beneath the app interface. Approov said artificial intelligence has reduced the skill and time needed to reverse engineer apps, steal credentials and automate abuse.

The analysis focuses on mobile services used to buy tickets and place bets during periods of high demand. Approov said the combination of urgency, heavy smartphone use, and direct links to payment details and identity data has made betting apps a particularly attractive target for criminals.

One concern is data scraping. Attackers are using automated tools and AI agents to collect information such as odds changes, promotional offers, market movements, betting lines and real-time pricing data. That information can then be used for arbitrage, bonus abuse and coordinated betting strategies that move faster than ordinary users.

Another is direct API abuse. Mobile betting apps often rely on APIs to connect to backend systems, and attackers can exploit that by reverse engineering the app, extracting API keys, intercepting traffic and copying the behaviour of a legitimate app. Once that happens, fraudsters may be able to automate account creation, scrape data or replay user sessions at scale.

Fake and modified apps remain part of the threat. Criminals can build counterfeit sportsbook apps or altered versions of genuine products that look authentic while stealing credentials, session tokens, personal information and financial details.

Approov also pointed to bot-driven market manipulation. Automated systems can monitor odds continuously, identify short-lived betting opportunities, exploit promotions instantly and coordinate activity across several operators. That can distort betting markets and erode trust in fairness.

Ted Miracco, Chief Executive Officer at Approov, said consumer habits around major events had made mobile services especially vulnerable. "The World Cup is filling stadiums and scammers' pockets. Big sporting events are a gift to thieves: millions of people are buying tickets fast, placing bets faster, and doing nearly all of it on a phone. Demand is high, patience is low, and that combination is exactly what attackers exploit," he said.

Miracco said the issue now extends beyond fake downloads and obvious phishing. "What's changed is who gets fooled and how. The old advice to 'only download official apps from the App Store or Google Play' is still valid but it's not enough. Consumers using genuine, legitimately published apps are being defrauded too, because attack methods have moved underneath the apps themselves. They now exploit the secrets the app carries, the APIs (application programming interfaces) it talks to, and the tokens that prove who the consumer is, because AI has quietly removed most of the friction that used to protect those layers," he said.

How attacks shift

Approov's broader argument is that the traditional assumption of trust in a downloaded app no longer holds. In its view, a legitimate app can still expose users if its code contains embedded keys or tokens, if its backend trusts requests too easily, or if session credentials can be captured from a compromised device or network connection.

That marks a shift in where fraud takes place. Instead of relying only on fake resale listings or cloned websites, attackers can target the app's underlying technical structure. For ticketing services, that may allow the theft of log-in details and payment information. For betting services, the risks may be broader because accounts often include verified identity records as well as card or bank links.

Approov said AI has intensified the problem by making established methods easier to use. Reverse engineering tools can help identify the purpose of software functions, locate hardcoded secrets more quickly and map how APIs behave. Generative tools can also help build convincing fake interfaces and support token replay or credential theft at greater scale.

Wider risk

Although the examples focus on sports and gambling, the same techniques could be used against any consumer app that exposes valuable live data through APIs. That includes sectors where mobile apps handle payments, health information or other sensitive customer records.

Approov argued that developers should treat scraping, automated account creation, API abuse, bot activity and fake apps as core cybersecurity issues rather than isolated fraud incidents. It said the burden has shifted from user vigilance to app design, particularly where services rely on secrets stored in the app binary or connections that can be intercepted.

Its recommended measures include removing hardcoded secrets from mobile apps, delivering sensitive data only at runtime to verified app instances, detecting tampering or unsafe device environments while the app is running, and using certificate pinning to reduce the risk of man-in-the-middle interception. Betting apps may be the early proving ground, but any platform with mobile APIs should expect similar pressure from attackers.