The scale of the operation was unlike anything the researchers have seen before. In one case, crooks used about 20 emulators to mimic more than 16,000 phones belonging to customers whose mobile bank accounts had been compromised. In a separate case, a single emulator was able to spoof more than 8,100 devices.

The thieves then entered usernames and passwords into banking apps running on the emulators and initiated fraudulent money orders that siphoned funds out of the compromised accounts. Emulators are used by legitimate developers and researchers to test how apps run on a variety of different mobile devices.

To bypass protections banks use to block such attacks, the crooks used device identifiers corresponding to each compromised account holder and spoofed GPS locations the device was known to use. The device IDs were likely obtained from the holders’ hacked devices, although in some cases, the fraudsters gave the appearance that they were customers who were accessing their accounts from new phones. The attackers were also able to bypass multi-factor authentication by accessing SMS messages.

Automating Fraud

“This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case), and in many cases using those codes to complete illicit transactions,” IBM Trusteer researchers Shachar Gritzman and Limor Kessem wrote in a post. “The data sources, scripts, and customized applications the gang created flowed in one automated process which provided speed that allowed them to rob millions of dollars from each victimized bank within a matter of days.”