How Emulator Farm Fraud Attacks Exploit Mobile Users to Dizzying Results

Adriana Pansera,

We regularly host webcasts on topics such as fraud prevention, authentication, and digital security best practices. If you missed our recent webcast, The Red Flag: What the Emulator Farm Attack Signals for US Mobile Fraud hosted by American Banker, here is the 5 minute summary. The full presentation is available on-demand.

The pandemic has shifted our habits in myriad ways. The financial services industry bears no exception with customers wholeheartedly turning to digital banking and their mobile devices to complete banking transactions remotely. However, this increase in usage and traffic on the mobile channel hasn’t gone unnoticed by scammers, who see it as an increasingly lucrative target for attack.

In a recent poll of financial professionals conducted during the webinar, 77.3% confirmed a surge in their mobile active users over the course of the pandemic. The same audience also reported a 47.5% increase of fraud within their organization in the past year. The trendline is clear — as familiarity with mobile banking apps continues to rise, the pool of customers left exposed and at risk of exploitation is growing along with it.

Anatomy of a Mobile Fraud Attack

As COVID-19 continued to change consumer behavior, overall instances of fraud continued on an upward spike. Global workforces rapidly turned to remote work to maintain business continuity, which  left employees relying on vulnerable devices and less-secure personal networks to fulfill their job duties and put sensitive data at risk of being more easily compromised. Identity theft was on the rise, as well as phishing attacks, app and invoice fraud, and social engineering attacks. In the last year alone, account takeover fraud saw an increase of 34% over 2019, making up a whopping 54% of all fraud related events in 2020, according to a recent report.

In June 2020, the FBI issued a warning anticipating an increase in the number of attacks on mobile bank customers due to soaring use of banking applications and the decline of the physical branch. That warning came to fruition in December when a massive mobile fraud scheme known as the “evil emulator farm attack” saw an unprecedented level of success due to the incredible speed and scale of its operation. By using a network of emulators (technology used by developers to test and interact with apps via a simulation of a mobile device), hackers were able to spoof thousands of compromised user devices and originate fraudulent banking transactions. They were successful in defrauding millions of dollars from bank account holders in both the USA and across Europe in days.

How Mobile Devices Were Vulnerable to the “Evil Emulator Farm” Attack

Attackers prey on the lowest hanging fruit. Since not all banks keep up with the latest cybersecurity trends, hackers know they can recycle the methods, technology, and format of their attacks while migrating from bank to bank.

Phishing scams and malware on infected devices allow hackers to harvest account holders’ account number and credentials. Combined with data on device specifications like brand, model, and operating system, this information is fed into emulators to successfully simulate a legitimate user and gain access. The emulators were also capable of automating the flow of typical app interactions, intercepting SMS codes for authorization, and thus successfully able to gain transaction approval to strip accounts of their funds.

How Did SMS Text Messages Contribute to this Attack?

While the use of one-time passcode (OTP) for authentication via SMS is better than relying solely on username and password combinations, it is an outmoded form of authentication and can pose risks. SMS is an old technology and sent via public airwaves. It is not secure nor designed to be encrypted and can therefore be easy to intercept. The equipment fraudsters use to hijack SMS messages is inexpensive and readily available, and hackers can leverage databases full of harvested data. Furthermore, a user could enter their OTP into a webpage thinking they are authenticating a genuine action, but instead they are interacting with a phishing site. This lack of contextual information, when users are not provided context to why a code is being generated, exposes another inherent vulnerability with relying solely on this form of authentication.

What Can Be Done? Client and Server Side Solutions

Since fraudsters are taking advantage of data, financial institutions should be following suit by collecting the right type of data and using it to protect their users rather than being victimized by it. Banks can no longer rely solely on a decoupled approach to fraud monitoring, such as device and transaction monitoring solutions, which don’t communicate with each other.

Session interaction knowledge or session understanding is crucial; collecting behavioral data or information on user journeys and typical paths of interaction within a banking app or website becomes especially valuable in context. These attributes, unlike device type and OS, cannot easily be seen or stolen by fraudsters. Continuous server-side analytics is a way to think of each event as a flow or login journey, not just in isolation. When using multiple devices, there should be a correlation between the initiating device, for example a web browser, and the authenticating device, often a mobile phone. Are these the normal devices accessed by the user in the past, as well as typical behaviors within the channel? Continuous session monitoring ensures these blind spots are eliminated and diminishes the potential for abuse.

Taking Security a Step Further: Mobile App Shielding with Runtime Protection

What should banks do about the lack of control over the mobile devices their app runs on? While a bank can’t mandate that its customers are practicing good internet security hygiene or prohibit them from mistakenly downloading compromised apps, defenses can be put in place. Proactive mobile app shielding protects apps from unknown, potentially hostile environments  and provides visibility into the integrity of the app being used to facilitate transactions. Runtime protection helps continuously monitor and identify nefarious situations like malware injections and screen overlays, ensuring that the app has not been tampered with and provides the confidence that the data received from a user is accurate.


While cybercriminals continue to leverage advances in technology to ill effects, financial institutions seeking to mitigate fraud need to embrace a dynamic and multi-layered approach to foil potential attacks. Incorporating advanced mobile app security at runtime to detect emulators and other attacker tools can mitigate the risk of advanced mobile fraud schemes, such as the emulator farm attack. Additionally, modern authentication methods must be adopted, and continuous client- and server-side risk analytics and session monitoring can provide extra levels of security to best safeguard customers and their data.

To learn more mobile security strategies, please watch the recording of our joint webinar, The Red Flag: What the Emulator Farm Attack Signals for US Mobile Fraud. For more on how OneSpan can be deployed to mitigate fraud attacks, please read more on Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue.

The Red Flag: What the Emulator Farm Attack Signals for US Mobile Fraud

The Red Flag: What the Emulator Farm Attack Signals for US Mobile Fraud

Eliminate the impact of sophisticated fraud threats using strategies to protect mobile device users with advanced app security to prevent emulation.

Watch now

Adriana Pansera is a Senior Marketing Specialist at OneSpan responsible for outreach and events. A digital storyteller with diverse industry experience, she leverages her BA in English to communicate how our experiences are shaped by our relationship with technology and the world.