Thousands of Emulated Mobile Devices Used to Steal Millions of Dollars

Researchers found an ongoing global mobile banking fraud campaign capable of swindling millions from various US and EU banks within a matter of a few days.

What has happened?

A cybercriminal group has been using mobile emulator farms to get access to thousands of hacked accounts for using spoofed mobile devices. 
  • The scope of this attack was very vast, as more than 20 emulators were used to spoof over 16,000 compromised devices.
  • An emulator can mimic characteristics of a different kind of mobile device without any need of purchasing them. In this attack, they were abused to spoof compromised mobile devices.
  • The data sources, scripts, and customized applications created an automated process that speeds up their attack. It allowed them to rob millions of dollars within a matter of days.

Modus operandi

Attackers automated the process of accessing accounts, initiating a transaction, obtaining and stealing a second factor (SMS), and using those codes to perform illicit transactions.
  • The attackers used a tool to feed up device specifications from a database of earlier compromised devices. Then, they matched each spoofed device with the banking credentials of the account holders.
  • The attackers were able to even spoof their compromised device's GPS location. They used a virtual private network (VPN) service to mask their malicious activity from the banks.
  • After every attack, they shut down their operation, wiped trace, and then prepared for the next attack. In addition, they monitored activity on the compromised banking accounts in real-time.

Conclusion

It is challenging for organizations to mitigate fraud risk presented by sophisticated or organized crime groups. Thus, experts suggest avoiding jailbreaking, applying system/app updates, deleting apps no longer in use, using official app stores, checking bank statements, and reporting suspicious activity to banks.