IBM Security Trusteer

 View Only

The New Frontier of Fraud – Massive Mobile Emulator Fraudulent Operation

By Doron Hillman posted Wed December 23, 2020 09:56 AM


Co-authored by Ezra Maybruch.

As the use of mobile devices grows exponentially in all industries, fraudsters are looking for innovative ways of exploiting this field. Consequently, IBM Security Trusteer Fraud Analytics has recently discovered a new large-scale mobile emulator-based fraud operation which has never been seen before.

What is a Mobile Emulator?

A mobile emulator is a software application for a personal computer which creates a virtual version of a mobile device. Such software can emulate any mobile device type, manufacturer, model, screen, location, touch-screen presses and swipes. This software has many legitimate usage patterns, most notably helping developers build and test mobile applications that fit a wide array of devices without the need to actually use a physical device. It gives the application developer full flexibility allowing them to control all aspects of the emulated device. Just like many software solutions, SaaS versions of these emulators have evolved in the past few years. A legitimate usage pattern for these SaaS emulators is rapidly testing software on multiple device types simultaneously, at large scale. Unfortunately like many other technological innovations - this can be abused by criminals.

Suspicious, Not Malicious

The new discovery started a few months ago when IBM Security Trusteer detected a new unauthorized emulator operation configured to target multiple North American financial institutions, accessing thousands of accounts in one of our client’s applications. This operation was based on a few personal computers running emulator software that mimics mobile devices. Each emulator repetitively accessed clients’ accounts using the official banking applications, conducting tens of thousands of sessions.

At IBM, we are no strangers to scripted access attempts at scale. When facing web browser bots or emulators, our first action is to determine whether the attempted access is originating from legitimate actors conducting authorized activity or by malicious actors attempting to exploit masses of compromised end-user accounts. Web browser bots can be used for legitimate reasons like testing and monitoring tools or various FinTech solutions (P2P payments / aggregators). On the other hand,  they can also be used to commit malicious activity such as web scraping, credential stuffing and more. However, scripted mobile emulator operations composed of multiple devices, custom-made designated applications and enhanced data processing capabilities have not been seen previously in the account takeover (ATO) landscape.

Several red flags were swiftly detected in this mobile emulator operation, including:

  • Emulator software indicators – legitimate users do not use emulators to run their banking apps
  • High impact on relatively high volumes of users – one device accessing thousands of accounts
  • Suspicious device attributes and behavior – device characteristics that do not make sense in the real world
  • Spoofing capabilities – attempts for hiding a device's true characteristics or location
  • Accounts re-accessed repetitively over a few days
  • Device rooting and utilization of custom-made software – device built-in security protection was compromised

Despite several indications of suspicious activity, there was still no "smoking gun" to clearly indicate these access attempts were malicious in nature. Following cross-investigations with our client, a bank, these were confirmed to be unauthorized access attempts. They were made by a third-party financial service that granted consent to access the accounts by the account holders, all while using unagreed protocols and attempting to pull their own client account balances from the bank’s end-user accounts.

Fortunately, the actions taken in this instance were performed by legitimate actors, even if they were illegal according to the bank’s app end-user operation terms. However, this discovery made it clear that such methods could easily be imitated and adapted by malicious actors in the future.


New Measures Put in Place to Fight Future Fraud

Armed with this understanding, Trusteer quickly leveraged its advanced capabilities of bots and emulator detection to enhance fraud management logic across all clients, ensuring future detection when similar methods were to be used maliciously. A few months later, this proactive approach paid off in a major way. In the last two months, Trusteer detected a large-scale fraudulent emulator operation that:

  • Used more than 15 designated emulated devices
  • Accessed more than 6,000 end-user accounts committing tens of thousands of logins
  • Attempted to conduct thousands of fraudulent transactions

This emulator operation relentlessly attacked a major retail bank, attempting to steal money thousands of times from end-user accounts. Trusteer's advanced detection mechanism and technologies alerted on more than 99% of these emulator sessions, all thanks to tried and true capabilities alongside new ones. The prime factors in the zero-day detection of this mega-attack were the newly implemented detection methods learned based on the previous legitimate, yet suspicious, emulator access attempts.

This time Trusteer did uncover the malicious "smoking gun” evidence:

  • Suspicious transaction patterns and actual money losses were detected
  • Enhanced emulator and spoofing indications above and beyond the previously used ones
  • Social engineering indications combined with the mobile emulator access attempts

The digital fraud landscape, the technologies used by threat actors and the sophistication of the attacks are all constantly evolving.

Fraudsters continuously up the game, adopting agile practices and utilizing technologies commonly used by legitimate enterprises. To serve our customers, Trusteer looks “ahead of the curve.” Our technologies, vast accumulated data and deep domain expertise allow us to develop defense mechanisms not only on what is being used by malicious actors today, but just as importantly, what will be used tomorrow.