How iPhone Jailbreaking Is Used to Commit Deepfake Fraud. Incode Blog

How iPhone Jailbreaking Is Used to Commit Deepfake Fraud

In 2025, digital fraud is becoming increasingly sophisticated, with new AI-powered fraud tactics, such as hyperrealistic deepfakes, becoming more accessible every day.

In our 2025 customer survey, we found that 96.4% of fintech professionals consider deepfake and synthetic identity fraud to be a top-of-mind concern. Almost 30% reported that they had either occasionally or frequently encountered incidents of deepfake or synthetic identity fraud in the past year.

One trend we’re seeing more of linked to deepfake attacks? Android rooting and iPhone jailbreaking.

While originally used by tech enthusiasts to unlock hidden features, rooting or jailbreaking phones has become a common tactic in the fraudster’s playbook, making detecting and blocking tampered devices an essential component of any holistic fraud prevention solution.

Rooting or jailbreaking phones has become a common tactic for carrying out deepfake attacks on identity verification systems.
Rooting or jailbreaking phones has become a common tactic for carrying out deepfake attacks on identity verification systems.

What Is iPhone Jailbreaking or Android Rooting?

Jailbreaking refers to the process of removing software restrictions imposed by the phone’s operating system, typically on iPhones (iOS). On Android devices, a similar process is called rooting, which allows the user to gain elevated privileges by running as the root user.

Once a device is jailbroken or rooted, the user gains full control over the device, allowing them to bypass security settings, modify core files, and install apps that would normally be blocked.

Rooting an Android device is a more complicated process compared to jailbreaking an iPhone, given that it requires specific software per device model. Any error during the rooting process can ‘brick’ the device.

While some users root or jailbreak for customization, fraudsters use it inject deepfake videos during real-time selfie checks to try and bypass biometric identity verification.

That said, it is not always necessary to have root privileges to install virtual camera software on a Android device or configure apps that mock geolocation data, reiterating that holistic risk signal analysis is essential for advanced deepfake detection.

Jailbreaking an iPhone doesn’t require a high level of technical expertise, yet some of the most common fraud tactics used on a jailbroken iPhone, such as hijacking the camera feed to inject a pre-recorded video, do require more advanced technical skill.

There are multiple types of iPhone jailbreaks, each offering different levels of control:

  • Untethered jailbreaks (e.g., older tools like Evasi0n) remain active after a device reboot.
  • Semi-tethered jailbreaks (e.g., Checkra1n) require reactivating the jailbreak after every reboot using a computer.
  • Rootless jailbreaks (e.g., unc0ver, Taurine) modify userland components without full filesystem access, making them harder to detect through conventional system scans.

Fraudsters are increasingly turning to stealthy rootless jailbreaks to evade detection systems that rely on identifying deep system-level changes. Tools like unc0ver and Taurine mark a shift toward a more evasive generation of jailbreaks that operate without altering the root file system, making them significantly harder to detect through isolated or shallow risk signal analysis.

Fraudsters use jailbreaking to inject deepfake videos during real-time selfie checks.
Fraudsters use jailbreaking to inject deepfake videos during real-time selfie checks.

How Fraudsters Use Jailbroken Phones to Commit Deepfake Fraud

In the hands of a bad actor, a jailbroken device becomes a powerful tool for carrying out a deepfake injection attack, giving fraudsters unrestricted access and system-level control to the inner workings of a device, making it easier to:

  • Bypass KYC or KYE identity verification
  • Override trusted camera inputs and inject synthetic videos, such as deepfakes
  • Tamper with app responses and device data, such as geolocation data

With full access to the system, fraud rings can install unauthorized scripts, automated tools, or bots designed to run onboarding flows at scale. This enables the rapid creation of hundreds of fake accounts, often using a combination of deepfakes and stolen or synthetic identities.

Step 1: Jailbreaking or Rooting a Device

First the fraudster jailbreaks or roots a device, which allows them to strip away built-in app protections and install hijacking tools.

Step 2: Bypassing Device Checks

The attacker manipulates the device environment to spoof location data, forge device attributes, and mimic trusted configurations. This undermines systems that rely on device trust signals to validate authenticity, such as operating system integrity or geolocation consistency.

Apple has introduced modern defenses like AMFI (Apple Mobile File Integrity) to block unauthorized code execution, and System Integrity Protection (SIP) to prevent tampering with system files. However, fraudsters circumvent these protections by:

  • Injecting malicious tweaks via custom dylibs embedded within cloned or sideloaded apps.
  • Using tools like Liberty Lite, which help hide the signs of jailbreaking from detection frameworks.
  • Employing rootless jailbreaks that avoid modifying core system partitions, making traditional jailbreak checks less effective.

Step 3: Camera Injection & Deepfake Insertion

The fraudster then replaces the live camera feed with a deepfake video, tricking the identity verification system into accepting synthetic content as genuine biometric input.

To perform camera injection, attackers often hook into the AVCaptureSession API, which manages real-time input from the iPhone’s camera. By intercepting this session, a jailbroken app can swap the live video feed with a pre-rendered deepfake while maintaining the illusion of an authentic stream.

In more advanced attacks, kernel-level extensions or custom dylibs (dynamic libraries) can patch low-level I/O processes, effectively bypassing even hardened system APIs and fooling apps that rely on system trust.

Jailbreaking or rooting is often the first step in an deepfake injection attack.
Jailbreaking or rooting is often the first step in a deepfake injection attack.

A Key Component of Multi-Angle Fraud

Jailbreaking is a component of multi-angle fraud, where multiple fraud tactics—like spoofed biometrics, fake documents, and jailbroken devices—are combined to maximize success. This type of fraud is so dangerous because, instead of relying on a single point of failure, it attacks the camera feed, the device OS, the app logic, and the user interaction layer simultaneously.

Without multiple risk signal defenses in place, verification systems can be fooled by what looks like a legitimate session, when in reality, it’s a synthetic performance running on a hijacked device.

How Incode Detects and Blocks Jailbroken Devices

A holistic fraud prevention solution defends against multi-angle fraud by simultaneously analyzing multiple fraud signals, including device tampering.

Incode’s holistic fraud prevention solution comprises 4 key components that work together to deliver a whole new level of spoofing detection. It combines multi-modal biometric checks with camera, device, and behavior trust and uses multi-frame video liveness to detect spoofing attempts while delivering a passive user experience.

1. Device Trust

    Incode ensures surface-level security and detects fraudulent attempts by analyzing device signals. This includes identifying suspicious devices, jailbroken or rooted status, virtual emulators, geolocation inconsistencies, and fingerprint anomalies.

    2. Camera Trust

    Incode safeguards camera integrity and identifies fraudulent attempts by analyzing camera interactions. This includes detecting virtual cameras and tampering to ensure live, unaltered video feeds and authenticity.

    3. Behavior Trust

    Incode monitors user behavior to identify fraudulent patterns and ensure authentic interactions. This includes analyzing motion dynamics, detecting suspicious bot-like behavior, and verifying natural user activity.

    4. Multi-Modal Intelligence

    Advanced AI-powered spoofing detection using multi-frame video analysis to examine minute details, such as image depth analysis, and carry out advanced digital spoof and camera evasion checks. This cutting-edge biometric intelligence prevents impersonation and ensures trusted identity verification.

    If a risk signal is detected, the platform can block the session, escalate it for review, or flag the user as high-risk.

    Jailbroken phones give fraudsters a dangerous level of control, and in 2025, they’re a key part of advanced fraud strategies. To stay protected, businesses need real-time detection of compromised devices and fraud signals that connect across biometrics, behavior, and device integrity.

    Learn more about Incode.

    Thanks to Incode Senior Android Engineer Alexander McCaleb, Incode Senior iOS Tech Lead Marko Cancar, and Incode Business Analyst Hiram Ortiz for their expert contributions to this article.