Hackers clone thousands of smartphones to drain their victims’ bank accounts

A group of threat actors operated a global fraudulent campaign that robbed millions of dollars of banks in the United States and some European countries. Threat actors reportedly used huge emulator farms to access thousands of compromised accounts using spoofed mobile devices.

Although experts do not consider emulators to be malicious tools, the threat actors behind this attack found a way to use them for malicious purposes, emulating compromised devices to extend their reach. Hackers used a tool capable of feeding specifications to a database compromised in previous incidents, allowing them to match each of the emulated devices with the bank accounts of affected users.

In their report, experts mention that the emulator farm was able to spoof the GPS location of compromised devices using multiple virtual private network (VPN) services in order to prevent bank security teams from detecting malicious activity.

La imagen tiene un atributo ALT vacío; su nombre de archivo es spoofedphone16122020.jpg

Shachar Gritzman and Limor Kessem, experts in charge of research, mention that cybercriminals used more than 20 farm emulators to forge nearly 16,000 devices: “These emulators were used to repeatedly access thousands of bank accounts, allowing millions of dollars to be stolen in a matter of days; hackers perform this operation, eliminate traces of malicious activity and prepare their next attack,” the experts mention.

The operators of this campaign have shown resources and modes of operation similar to those of other sophisticated groups, such as TrickBot or Evil Corp. Among his methods for sequestrating accounts are:

  • Access to account holders’ usernames and passwords
  • Access to device identifiers collected through mobile security commitment
  • Ability to access SMS message content
  • Using a custom automation environment designed for specific applications

Hackers also managed to monitor the activity of some bank accounts to check that no one in the attacked banks knew what was going on; In case their operation was detected, cybercriminals could interrupt any work in real time without leaving a single trace.

Experts do not rule out that the operation is still active, although it is really difficult to determine if hackers are currently operating.