Mobile emulator farms: What are they and how they work
Testing makes the information security world go ‘round. Those creating mobile applications have a legitimate need for mobile emulator farms as they allow developers and testers to mimic characteristics of an array of mobile devices without having to buy said devices, thus allowing for the testing of applications and features. IBM Security Trusteer researchers have uncovered a massive fraud operation where mobile emulator farms were used to steal millions of dollars from financial institutions in the U.S. and Europe.
What are mobile emulator farms?
Mobile emulators make the lives of developers easier as they allow them to emulate, or mimic, smartphone or mobile device environments for testing purposes. It is a cost-effective way to test how features work across different devices (different makes and models, for example). A mobile emulator farm is essentially a grouping of these emulators that work in conjunction with each other. As you will soon read, the usefulness of mobile emulator farms can be used by the bad guys as well with devastating results.
The evil mobile emulator farm attack
The evil mobile emulator farm attack takes advantage of the usefulness of mobile emulation. This novel attack was carried out by what IBM researchers referred to as a “professional and organized” attack group that was carried out on an unprecedented scale. Some observed cases of this attack involved over 20 emulators in a mobile emulator farm that spoofed over 16,000 compromised mobile devices.
How the emulator attack works
You can think of this attack as an incredibly elaborate spoofing scam using the infrastructure of multiple mobile device emulators. Mobile devices have several identifiers and the attackers use them to “spoof” these devices. These device identifiers were picked up by previously being infected with malware or visiting phishing pages. After getting the identifiers (and having the victim’s login credentials), the attackers use scripting and automation. In some cases, they use access to phishing logs and mobile malware botnets to conduct fraudulent transactions at scale. The attackers use the power of automation to transact large numbers of fraudulent money transfers in amounts that would not set off any alarms of suspicion for the bank. Essentially, this theft from victims happens under everyone’s noses.
A study of the overall infrastructure of mobile emulator farm attacks shows that several components are common in this attack type. These components are:
- Access to usernames and passwords of the account holder (that uses the device)
- Access to device identifiers
- At least some ability to access SMS message content
- An automated environment that is customized for targeted applications (including the logical flow of the events required to approve financial transactions)
- A farm, or set, of mobile emulators, sometimes 20 or more, that allow attackers to spoof large numbers of devices as well as to cycle new devices through quickly and at scale
- Customized network interception scripts to be used for communication with APIs of targeted applications
Hiding in plain sight
This attack takes hiding in plain sight to new heights. Emulators used in attacks are either set up to appear exactly like an actual device in the repository of networks it gains access to or they appear as randomized “new” mobile devices.
Hiding in plain sight comes into play by using custom applications to gather parameters of legitimate devices such as OS version, brand, IMEI, bootloader or more. Testing using these parameters gives the emulators accuracy and speed and helps ensure a successful emulation.
Keepin’ it fresh
Cycling through infected devices is paramount for this attack. Whenever a system uses a device for a fraudulent transaction, that device is then recycled and replaced with another device that has not been used yet in the attack. This also happens when a financial institution blocks a device and sometimes new, randomized devices are cycled in when needed.
Testing, testing, 1,2, 3…
Ensuring both the success of the emulation and automation framework, attackers use custom applications to provide test environments of the applications they intend to defraud. This allows the attackers to fine-tune the actions they take, the scripts they use and how well their tools work in different situations of the targeted application. Only after their attack craft has been perfected do they “go live” in their attacks, further improving their chances of success.
Monitoring
This attack uses robust monitoring of their fraudulent access attempts and uses techniques to receive real-time information about how things are going. Hooking techniques are used for communication interception with targeted application servers and logs from attack sessions are sent to the attackers’ remote server. This allows them to see if the attack is going awry and if tactics need to be modified to ensure success.
Mitigation
Mitigation may be challenging because the targets are end-users of financial applications that have varying levels of cybersecurity training (or any knowledge whatsoever). Therefore, the best method of mitigation is for end-users of targeted apps to tighten up their security awareness. Measures you can take include:
- Avoid rooting or jailbreaking your mobile devices
- Make sure your device has all its updates
- Download the app you download is from an official store and a legitimate company or developer
- Delete unused apps
- Regularly check your bank statements and promptly report any suspicious activity
What should you learn next?
Avoiding mobile emulator farm issues
Mobile emulator farms can be helpful for developers for many reasons. The dark side to this usefulness is attackers have adapted mobile emulator farms towards cybercrime and the result is a new type of attack that is more sophisticated and capable than many other types of attacks. With this said, using good security awareness with your mobile device will do the heavy lifting in keeping you safe from evil mobile emulator farm attacks.
Sources:
IBM Trusteer Exposes Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms. Security Intelligence.
In this Series
- Mobile emulator farms: What are they and how they work
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
- Top 8 Microsoft Teams security issues
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security