Skip to content

How Hackers Used Mobile Emulators to Steal Millions

Posted on by Dawna M. Roberts in SecurityDecember 23, 2020

First discovered by IBM Security Trusteer's mobile security research team, a gang of hackers were found emulating more than 16,000 bank customers' phones and using them to steal millions.

mobile emulator

What is a Mobile Emulator?

A mobile emulator is simply software. Typically, the software is used for legitimate purposes so that a developer can emulate a specific type of mobile device to test new apps and software. The process is called virtualization

How Do Thieves Use Them for Fraud?

In this particular case, the hackers used emulators to breach bank apps where two-factor authentication is used by sending a code to the person's mobile device. Once the attacker has the emulated phone in their hands along with other login information, they can basically take control of a person's entire digital life. Some of the highlights of how they accomplished this from IBM's report list:

  • "Access to account holders' usernames and passwords.
  • Access to device identifiers and data likely gathered via compromised mobile devices.
  • Some ability to obtain SMS message contents.
  • A customized automation environment tailored to targeted applications and the logical flow of events to approve transactions.
  • A set of virtual mobile emulators, dozens in each case, to amplify the ability to spoof a larger number of devices and cycle through new ones rapidly and at scale.
  • Customized network interception scripts that communicated with the targeted application's API. These interceptions both submitted transactions and also monitored communications to ensure that the fraud was not being detected."

Along with these critical pieces, the hackers also developed and used software to carry out the fraud. More than 16,000 users' phones were emulated using around 20 emulators. The banks have been notified, and the first attack was stopped, but experts predict this won't be the last.

IBM commented that "The attackers use these emulators to repeatedly access thousands of customer accounts and ended up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wiped traces, and prepared for the next attack."

How Was it Carried Out?

The hackers used phishing emails, SMS messages, and other techniques to deliver malware to the infected phones. Once installed, they began collecting credentials for bank accounts, passwords, and other private information. After compiling this huge amount of data into a database, they connected the emulated phones to it, and they began to look and act like the legitimate phone. They even had MEI numbers (Mobile Equipment Identity) to complete the ruse.

After that, they logged onto bank accounts, created fake money orders, or other methods to transfer the funds out. If they noticed that a bank detected the fraud, they severed the connection. 

IBM spread the grim news "This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor - SMS in this case - and in many cases using those codes to complete illicit transactions. The data sources, scripts, and customized applications the gang created flowed in one automated process, which provided speed that allowed them to rob millions of dollars from each victimized bank within a matter of days."

According to the report, IBM said that after a successful transition, each emulator would cycle through to another device and then another. If a bank detected fraud and blocked the device, the same thing happened. This continued "recycling" went on as it rotated through the entire volume of infected devices. 

These attacks used a level of sophistication right down to spoofing the GPS location (using a VPN) to evade detection. With access to the person's SMS messages, they could also easily bypass multi-factor authentication. Security experts believe the operation was well-funded. It is unclear who these attackers are, but there is an ongoing investigation to find out. 

The IBM report noted, "After responding to this massive attack, Trusteer researchers found that the robustness and sophistication of the operation's automation environment were not a common sight in the cybercrime area. It is likely that those behind it are an organized group with access to skilled technical developers of mobile malware and those versed in fraud and money laundering. These types of characteristics are typical for gangs from the desktop malware realms, such as those operating TrickBot or the gang known as Evil Corp."

mobile emulator

How Can You Stay Safe?

The number one way hackers install malware on your device is through you clicking a link. Never click a link in an email, download an attachment, or even a link in SMS.  These days you cannot trust that the communication came from a legitimate source. 

About the Author

Related Articles

News Article

How to Detect “Fake News” Stories: Complete Guide to Fact-Checking

The last few years have brought many changes to the world, and one of the most sinister are fake news sto... Read More

News Article

How to Protect Yourself from Work-From-Home Scams

The idea of working from home sounds like a dream come true to many Americans. Some work-from-home jobs a... Read More

News Article

How Does Facebook People Search Work?

Social media platforms are great for finding long lost friends or family in far-flung places, but how the... Read More

News Article

A Full Guide on Social Engineering Attacks

Social Engineering Definition What is social engineering? Social engineering attacks are a new approac... Read More

News Article

What is The Most Common Password List: Discover and Avoid

To choose a good, safe password, it’s essential to know why password strength is necessary: it&rsqu... Read More

Uncover Hidden Information About Anyone: