IBM Trusteer security researchers discovered a scam based on the use of mobile device emulators put into network with each other in order to absorb millions of dollars from bank accounts in a few days. Emulators are tools of standard used by developers and security researchers to test apps p er smartphones and check their behavior on different devices that are, in fact, emulated.

This is an operation with unprecedented scope: in one case the hand behind this operation used approximately 20 emulators to impersonate over 16 thousand telephones belonging to as many individuals whose bank accounts have been compromised. In another situation, only one emulator was able to falsify over 8100 devices. Criminals entered usernames and passwords into banking apps running on emulators and set up operations to steal funds from compromised accounts. The banking institutions targeted are located in the US and Europe.

Emulated smartphones and emptied accounts: the scam in the US and Europe

In order to circumvent the protections that banking institutions put in place precisely in order to protect themselves from this type of attack, the criminals used identification codes of the devices corresponding to each owner account, along with counterfeit GPS coordinates that match those frequently used by the compromised device . The criminals were able to also bypass two-factor authentication by logging into SMS . According to the IBM Trusteer researchers, the credentials to access the bank accounts with which to then carry out illicit transactions with the emulated devices, were obtained by exploiting malware or through phishing attacks.

However, it is not entirely clear how it was possible to trace the device identifiers and intercept SMS messages. “This fraud enabled them to automate account access, initiate transactions, receive and compromise a second authentication factor, and use these codes to complete illicit transactions. Data sources, scripts and custom applications created by criminals converged in a high-speed automated process that allowed them to steal millions of dollars from each bank within days “write the researchers.

Whenever the criminals were able to carry out an operation, they replaced the emulated device with a new one. Criminals also periodically checked the emulated devices to see if they had been rejected by the anti-fraud system of a banking institution, in order to replace them with new emulated devices.