Researchers found an ongoing global mobile banking fraud campaign capable of swindling millions from various US and EU banks within a matter of a few days.

What has happened?

A cybercriminal group has been using mobile emulator farms to get access to thousands of hacked accounts for using spoofed mobile devices. 
  • The scope of this attack was very vast, as more than 20 emulators were used to spoof over 16,000 compromised devices.
  • An emulator can mimic characteristics of a different kind of mobile device without any need of purchasing them. In this attack, they were abused to spoof compromised mobile devices.
  • The data sources, scripts, and customized applications created an automated process that speeds up their attack. It allowed them to rob millions of dollars within a matter of days.

Modus operandi

Attackers automated the process of accessing accounts, initiating a transaction, obtaining and stealing a second factor (SMS), and using those codes to perform illicit transactions.
  • The attackers used a tool to feed up device specifications from a database of earlier compromised devices. Then, they matched each spoofed device with the banking credentials of the account holders.
  • The attackers were able to even spoof their compromised device's GPS location. They used a virtual private network (VPN) service to mask their malicious activity from the banks.
  • After every attack, they shut down their operation, wiped trace, and then prepared for the next attack. In addition, they monitored activity on the compromised banking accounts in real-time.


It is challenging for organizations to mitigate fraud risk presented by sophisticated or organized crime groups. Thus, experts suggest avoiding jailbreaking, applying system/app updates, deleting apps no longer in use, using official app stores, checking bank statements, and reporting suspicious activity to banks.

Cyware Publisher