What are mobile emulator farms?

Mobile emulators make the lives of developers easier as they allow them to emulate, or mimic, smartphone or mobile device environments for testing purposes. It is a cost-effective way to test how features work across different devices (different makes and models, for example). A mobile emulator farm is essentially a grouping of these emulators that work in conjunction with each other. As you will soon read, the usefulness of mobile emulator farms can be used by the bad guys as well with devastating results.

The evil mobile emulator farm attack

The evil mobile emulator farm attack takes advantage of the usefulness of mobile emulation. This novel attack was carried out by what IBM researchers referred to as a “professional and organized” attack group that was carried out on an unprecedented scale. Some observed cases of this attack involved over 20 emulators in a mobile emulator farm that spoofed over 16,000 compromised mobile devices.

How the emulator attack works

You can think of this attack as an incredibly elaborate spoofing scam using the infrastructure of multiple mobile device emulators. Mobile devices have several identifiers and the attackers use them to “spoof” these devices. These device identifiers were picked up by previously being infected with malware or visiting phishing pages. After getting the identifiers (and having the victim’s login credentials), the attackers use scripting and automation. In some cases, they use access to phishing logs and mobile malware botnets to conduct fraudulent transactions at scale. The attackers use the power of automation to transact large numbers of fraudulent money transfers in amounts that would not set off any alarms of suspicion for the bank. Essentially, this theft from victims happens under everyone’s noses.  A study of the overall infrastructure of mobile emulator farm attacks shows that several components are common in this attack type. These components are:

Access to usernames and passwords of the account holder (that uses the device) Access to device identifiers At least some ability to access SMS message content An automated environment that is customized for targeted applications (including the logical flow of the events required to approve financial transactions) A farm, or set, of mobile emulators, sometimes 20 or more, that allow attackers to spoof large numbers of devices as well as to cycle new devices through quickly and at scale Customized network interception scripts to be used for communication with APIs of targeted applications

Hiding in plain sight

This attack takes hiding in plain sight to new heights. Emulators used in attacks are either set up to appear exactly like an actual device in the repository of networks it gains access to or they appear as randomized “new” mobile devices. Hiding in plain sight comes into play by using custom applications to gather parameters of legitimate devices such as OS version, brand, IMEI, bootloader or more. Testing using these parameters gives the emulators accuracy and speed and helps ensure a successful emulation.

Keepin’ it fresh

Cycling through infected devices is paramount for this attack. Whenever a system uses a device for a fraudulent transaction, that device is then recycled and replaced with another device that has not been used yet in the attack. This also happens when a financial institution blocks a device and sometimes new, randomized devices are cycled in when needed.

Testing, testing, 1,2, 3…

Ensuring both the success of the emulation and automation framework, attackers use custom applications to provide test environments of the applications they intend to defraud. This allows the attackers to fine-tune the actions they take, the scripts they use and how well their tools work in different situations of the targeted application. Only after their attack craft has been perfected do they “go live” in their attacks, further improving their chances of success.

Monitoring

This attack uses robust monitoring of their fraudulent access attempts and uses techniques to receive real-time information about how things are going. Hooking techniques are used for communication interception with targeted application servers and logs from attack sessions are sent to the attackers’ remote server. This allows them to see if the attack is going awry and if tactics need to be modified to ensure success.

Mitigation

Mitigation may be challenging because the targets are end-users of financial applications that have varying levels of cybersecurity training (or any knowledge whatsoever). Therefore, the best method of mitigation is for end-users of targeted apps to tighten up their security awareness. Measures you can take include:

Avoid rooting or jailbreaking your mobile devices Make sure your device has all its updates Download the app you download is from an official store and a legitimate company or developer Delete unused apps Regularly check your bank statements and promptly report any suspicious activity

Avoiding mobile emulator farm issues

Mobile emulator farms can be helpful for developers for many reasons. The dark side to this usefulness is attackers have adapted mobile emulator farms towards cybercrime and the result is a new type of attack that is more sophisticated and capable than many other types of attacks. With this said, using good security awareness with your mobile device will do the heavy lifting in keeping you safe from evil mobile emulator farm attacks.  

Sources:

IBM Trusteer Exposes Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms. Security Intelligence.