/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

Hackers use mobile emulators to steal millions of dollars from bank accounts

IBM Security Trusteer’s mobile security research team has uncovered a major fraud campaign that used mobile emulators to steal millions of dollars from financial institutions in Europe and the US within a matter of days.

  11 1 comment

Hackers use mobile emulators to steal millions of dollars from bank accounts

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

The research team says that the hackers used an infrastructure of mobile device emulators to set up thousands of spoofed devices that accessed thousands of compromised accounts.

In each instance, a set of mobile device identifiers was used to spoof an actual account holder’s device, likely ones that were previously infected by malware or collected via phishing pages.

Using automation, scripting, and potentially access to a mobile malware botnet or phishing logs, the attackers, who have the victim’s username and password, initiate and finalise fraudulent transactions at scale. In this automatic process, they are likely able to script the assessment of account balances of the compromised users and automate large numbers of fraudulent money transfers being careful to keep them under amounts that trigger further review by the bank.

An emulator can mimic the characteristics of a variety of mobile devices without the need to purchase them and is typically used by developers to test applications and features on a wide array of device types.

IBM Trusteer says that the scale of the operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices.

Says the company: "The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack."

In subsequent attacks using the same tactics, IBM Trusteer was able to see evolution and lessons learned when the attackers evidently fixed errors from past attacks.

IBM Trusteer's intelligence team has also observed a trending fraud-as-a-service offering in underground venues that promises access to the same type of operation to anyone willing to pay for it, with or without the required skill.

"This lowers the entry bar for would-be criminals or those who plan to transition into the mobile fraud realm," says the research unit. "It also means this at-scale automation scheme can be adapted to almost any financial institution in a variety of countries and territories and is likely to become a growing trend among cybercriminals."

Sponsored [On-Demand Webinar] SaaS savvy: Preparing for embedded and data driven bank payments

Comments: (1)

Eli Talmor

Eli Talmor CEO at ID-Bound

The only question I have : how come these financial institutions in Europe and the US didn't saw this coming? Does it surprise them that static data can be stolen? 

[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming MandatesFinextra Promoted[Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates