Faking identities with AI

Jack Kerr at Appdome explains how AI deepfakes and voice cloning have shattered the biometric barrier

 

For over a decade, biometric authentication, including facial recognition, fingerprint scans and voice matching, have been a pinnacle of mobile security and identity protection. Consumers trusted it to protect their devices and data.

 

As a result, enterprises embedded it into mobile apps using Apple’s Face ID, Android Face Unlock and other methods as a seamless way to quickly verify users while reducing fraud. But that trust has now been broken.

 

Today, AI has outpaced biometric security systems once believed to be unbreakable. Facial recognition, voice authentication and fingerprint scans, the secure gatekeepers for mobile apps, are now being bypassed by AI-generated deepfakes, synthetic voices and virtual camera injections with ease.  

 

The leading security solutions of the past are now being outpaced, often without the user’s or business’s knowledge, and without the attacker ever laying hands on the device. And this is only the beginning. As AI technology continues to evolve, these attacks will become more accessible, more convincing and more frequent.

 

Without a new approach to mobile app security and biometric protection, the gap between threat and defence will only widen.

 

When identity is no longer real

Most people associate deepfakes with celebrity videos, but the real threat is far more personal. Today’s attackers are targeting us, cloning the faces and voices of everyday users to break into mobile apps and services.

 

Armed with AI-powered tools, fraudsters are fooling facial recognition systems into granting access to apps by presenting AI-generated likenesses of the user. With just a few seconds of public photos, video, or audio, they can create AI likenesses convincing enough to fool facial recognition software or clone a voice well enough to pass authentication checks.

 

Pictures can also seamlessly be used to stitch onto an attacker’s face, which can then be used to create a video deepfake that bypasses protections.

 

These attacks don’t require physical access to a device; they’re carried out remotely, often in the background, and without raising alarms. A mobile banking app, for instance, may unlock for a deepfake injected via a virtual camera app, while a synthetic voice may be used to reset passwords or authorise transactions, as the attacker doesn’t need the real device, only a replica of the user.

 

Biometric bypass has been commoditised 

The AI tools to create synthetic faces and voices are relatively cheap, opening up biometric bypass attacks beyond state actors or elite hacking groups. As a result, there is a thriving underground market offering ‘deepfake-as-a-service’, complete with biometric circumvention kits that include virtual cameras, AI face generators and cloned voices. In some cases, these services are available for less than £100.

 

Criminals can deploy these tools at scale to take over existing user accounts, open new fraudulent ones, and execute unauthorised transactions without triggering fraud alerts. 

 

The human cost of biometric trust

The cost of losses to the consumer is high, but it also has rippling consequences on the mobile brand and the multi-billion-pound industry. Not only may mobile businesses have to recuperate the cost, but there are regulatory and reputation stakes at play. A recent UK survey of mobile users highlighted a stark reality: nearly 71% said they would abandon a brand if they felt it could not adequately protect their identity or data.

 

This erosion of trust has very real consequences. Consumers are increasingly aware of the risks they face online, and biometric failure is no longer seen as an unfortunate exception; it’s becoming part of a broader pattern of neglect.

 

In a competitive mobile landscape, where users have endless alternatives, trust becomes a direct driver of retention, loyalty and revenue. If customers don’t feel secure and trust the business, they don’t just leave; they tell others why.

 

Reactive to proactive 

Mobile brands and businesses must stay ahead of biometric deepfake threats to protect their users and reputations, which requires a shift in mindset. AI threats change fast, in days or even hours. Traditional fraud detection systems tend to operate on the backend (not on device), after a login has occurred or a transaction has been processed and are blind to malicious activity on the device and app.

 

It is no longer enough to rely solely on facial recognition or voice authentication. Biometric systems were designed for convenience and user experience, not to detect manipulation. Yet today, attackers are using deepfakes to bypass these systems with the intent to steal identities and commit fraud.

 

Protecting the integrity of biometric processing requires layered, context-aware approaches that go beyond identity and evaluate intent. This includes detecting virtual camera apps, detecting voice cloning attempts and recognising behavioural inconsistencies in both the user and the environment.

 

Rather than treating biometric success as the end of a check, security systems must now treat it as the beginning of a real-time, dynamic evaluation.

 

Doing this effectively demands speed, intelligence and dynamic adaptation. Fraud is no longer a static event. It’s a constantly evolving, AI-driven threat. That means defenders must also use AI, not just to detect anomalies, but to benchmark risk, prioritise responses and predict how, when and where the next AI-powered synthetic attacks will occur next.

 

This marks the shift from legacy security automation to AI-native defences that protect against attackers who are now deploying AI-powered tools to scale and personalise their attacks.

 

The future of mobile security lies in AI-native defence platforms powered by dynamic threat intelligence built from the ground up to learn, adapt and respond as quickly as the threats they face. In this new paradigm, mobile apps can proactively assess risk, continuously analyse thousands of threat vectors, compare behaviours across users and sessions, and dynamically adjust protections in real time.

 

Only this level of intelligence will close the gap between AI-powered synthetic attackers and mobile defences and restore the trust users have lost.

 

AI vs AI: a new security paradigm

Biometrics will continue to play a critical role, but they must be protected. In a world where identities can be faked with alarming precision on mobile apps, static authentication is no match for AI-powered deepfakes and adaptive fraud.

 

The message for 2025 is clear: trust, once broken, is hard to rebuild. As AI-driven threats continue to rise, mobile businesses must prioritise real-time, AI-native adaptive protection for biometric processing, or risk losing the confidence and trust of the very users they aim to serve.

 

---

 

Jack Kerr is a Director of Appdome

 

Main image courtesy of iStockPhoto.com and Userba011d64_201