cyber crime


Experts discovered a large-scale fraud operation that used a network of mobile device emulators to steal millions of dollars from online bank accounts.

 Researchers at IBM Trusteer discovered a large-scale fraud operation that used a network of mobile device emulators to steal millions of dollars from online bank accounts within a few days.

Cybercriminals used about 20 mobile device simulators to imitate the phones of more than 16,000 customers whose mobile bank accounts had been stolen.

According to experts, this is one of the largest banking frauds in history. Hackers have successfully stolen millions of dollars from European and American financial institutions.

Experts also reported that in a single case, cybercriminals used a single emulator to deceive 8,173 devices.

“This is the work of a professional and organized gang that uses the infrastructure of mobile device emulators to set up thousands of deceptive devices that access thousands of infected accounts.” Read the research Reports issued by personnel . “In each case, a set of mobile device identifiers are used to deceive the actual account holder’s devices, which may have been previously infected by malware or collected through phishing pages.”

 Threat participants used mobile malware botnets or crawled phishing logs to obtain login for online bank accounts, and then used them to ultimately complete fraudulent transactions.

The threat actors entered their usernames and passwords into the banking application running on the simulator and then conducted fraudulent transactions.

Crooks used the emulator to bypass the security measures implemented by the bank to detect fraudulent transactions. They used the device identifier corresponding to each infected account holder and the fraudulent GPS location previously associated with that device. The had obtained the device ID from the infected device and was also able to bypass multi-factor authentication by accessing SMS messages.

The hacker developed an application to provide device specifications to the emulator.

These specifications can be automatically obtained from the database of infected device logs, thereby providing the emulator with all parameters (such as brand, operating system version, IMEI and bootloader) Speed ​​and accuracy.

“In addition, the automated system matches the device with the account holder’s username and password to access their bank account.” Continue anal analysis.

“When the compromised device is operating in a specific country, the simulator spoofs the GPS location. From there, it connects to the account via a matching virtual private network (VPN) service. The used a mix of publicly available legal tools (Mainly for testing) and possible custom applications created for this operation.”


The scammer managed to automatically complete the process of accessing the account, initiating the transaction, capturing the OTP code sent via SMS, and completing the illegal transaction.

IBM researchers pointed out that scammers will eliminate deceptive devices involved in successful transactions and replace them with new ones. When the is rejected by the anti-fraud system used by the bank, the attacker also loops through the device.

The threat actor behind the fraud operation intercepted the communication between the deception device and the bank application server to monitor the progress of the operation in real time.

“The people behind it are likely to be an organized team with access to skilled mobile malware technology developers as well as people well-versed in fraud and money laundering activities. These types of characteristics are typical for gangs in the desktop malware space, such as those operating TrickBot or the gang known as Evil Corp.” IBM Trusteer concluded.