Fraudulent Device Detection—Emulators and Their Use in Fraud

Fraudulent devices can be created through:

• Jailbreaking – Removing software restrictions on an Apple device running iOS to modify the OS, install non-approved apps, and gain admin-level privileges. Kernel patches permit root access, allowing the installation of software not available through the app store. This creates security issues because much of the built-in security is lost, including verified app security. Thus, the device can be used maliciously by the owner or hackers.

 

• Rooting, or cracking – This is similar to gaining admin privileges through jailbreaking, but it is specific to Android devices. Many Android device manufacturers permit users to unlock their devices and to add apps that are not officially approved. This less-robust security can lead to malicious use of a device, which is one reason why the majority of fraudulent devices used for fraud are Android devices.

 

• Tampering

 

• Flashing, or replacing the OS and resetting a device to factory settings – This creates a new device identifier and sidesteps attempts to detect, via device fingerprinting, that too many accounts are associated with a device.

Fraudulent devices that fall into these categories can be detected in a variety of ways, including looking for telltale code, file permissions, and APIs.

The most common fraudulent devices, the type that Ping encounters and exposes most often, are created using emulators. Emulators allow a large number of virtual devices to be created, often cloning the same device over and over, and avoids the need to purchase and set up a variety of different devices with different OSs. Emulators can be used to spoof other devices and clone devices to create many virtual devices.

Emulators are legal, useful tools developers use to test apps on different devices and OSs without purchasing every possible device and OS combination. They can create virtual versions of every iPhone or Android phone and test how an app runs on each to detect bugs and other programming problems.

Gamers use emulators to play games made for other platforms without buying multiple systems. For example, emulators can allow a PC to play games created for Playstation or Xbox.

Fraudulent mobile devices are created by bad actors using device emulators to run on computers, on servers, or within web browsers to simulate different types of mobile devices virtually.

Criminals employ emulators to create fraudulent virtual devices. They then use those devices to act like legitimate users to carry out various fraudulent activities. With more than six billion people worldwide (including 85% of Americans) using smartphones, mobile e-commerce spending is at an all-time high. Accordingly, fraudulent activity is growing.

Emulators offer fraudsters the same flexibility and efficiency they provide developers, allowing them to create different types of devices to carry out an attack. Having access to multiple devices and applications simultaneously, fraudsters can successfully bypass authentication and rules-based security measures.

Hackers adapt and evolve their approaches to avoid detection and sidestep device fingerprinting, which is a security measure that can expose a high number of virtual devices that have the same characteristics, that are all missing the same functionality, or that are from the same source. Organized crime rings set up emulator farms, feeding them hacked data collected worldwide. This allows criminals to appear even more like legitimate users.

Criminals program virtual devices to click on ads, download apps, or create fraudulent accounts. The devices can be used for coupon fraud, social media spam attacks, account takeover efforts, and mobile payment account hacks. In late 2020, emulators helped fraudsters steal millions directly from mobile banking customers’ accounts with multiple financial institutions in the U.S. and Europe in just a few days.

While online fraud used to require a certain level of technical know-how, it has become much easier for people to commit online fraud using an emulator to create fraudulent devices. Emulators are now available as web browser add-ons, and there are detailed instructions and video tutorials online describing how to use them.

Browser extension emulators are not installed on a fraudster’s computer but are hosted on remote servers. They are created in this format for ease of use, just like simple, popular browser extensions web users employ to store passwords, find coupons, or translate a webpage.

This emulators-as-a-service approach is, by extension, fraud as a service, transforming emulator attacks into systematic, large-scale efforts. Because they have become easier to use, emulators are a growing threat, as they are accessible to most anyone hoping to commit fraud.

As always, it is important for fraud fighters to be aware and stay ahead of the game.

Along with staying abreast of the latest hacking techniques and working to educate our customers, partners, and the public about ongoing and emerging threats, PingOne Fraud has a two-pronged approach to protecting users: 1) data enrichment, merging multiple sources of device intelligence, and 2) behavioral biometrics, using both internal and external data to improve fraudulent device detection.

Cybercriminals attempt to imitate legitimate devices in a variety of ways, including spoofing signals to sensors and removing traces of their existence after deleting an emulated device. These tricks are sophisticated, but not foolproof.

Just as Ping technology identifies human vs. non-human users, fraudulent devices can be identified by pairing device attributes and behavioral data. Identifying whether a device has been tampered with or spoofed is straightforward. Emulators leave a footprint on the OS and have incomplete critical behavioral data, like mobile attributes missing accelerator or gyroscope data, which are automatic red flags.

These markers work in tandem with behavioral biometrics to identify emulated devices. Behavioral biometrics uses machine learning to develop expectations of how humans interact with devices and what those patterns look like. Using sensors embedded in mobile devices, from touch screens to GPS radios, Ping tools extract and analyze hundreds of data points that define exactly how people use their devices. Algorithms then examine each device seeking access to users’ system or app to determine whether each device’s data points reflect the properties of a physical or an emulated mobile device.

Ping tools examine device parameters, including how firmly users touch the screen, how fast users tap and swipe, how users move their wrist and palm when touching the screen, and more. A single swipe on a touchscreen provides the position and pressure of the user's finger and the intensity of vibrations created by the accelerometer in response to the action.

Although these interactions generate hundreds of data points, the patterns they reveal are consistent across different interactions. The amount of pressure applied when swiping varies from person to person, and this pressure is consistently unique to each individual. In other words, it is rare for any two individuals to have the exact same swiping behavior. It is not unusual for emulated fraudulent devices to have the same programmed parameters for virtual swiping and other actions across all virtual devices a fraudster creates because it’s fast and simple, while programming unique values for every variable is much more time-consuming.

Another biometric data point is the orientation of a user’s phone when swiping. When moving their finger across the screen, a user usually tilts the device toward themselves. The angle and direction of this tilt varies for each person, but the uniqueness of this behavior to each individual user is consistent. These dozens of behaviors amount to a collection of nuances that cannot be easily simulated. Examining this behavioral data differentiates a real user from a fraudster and makes committing fraud more difficult.

Gett, the leading corporate ground transportation management company, has increased its detection of suspicious activities that were previously invisible to legacy fraud detection tools by more than 120 percent. With each new generation of fraud, Ping (which acquired SecureTouch mid-2020, along with Gett as a customer) has captured more suspicious events. By detecting emulator-based new account fraud, Ping has helped increase fraud detection within Gett’s enterprise by 62 percent.

Gett consolidates vendors on a single booking platform where clients access services using iOS and Android apps. As the leading company in its industry, serving a third of the world’s Fortune 500 companies, the company faces sophisticated security challenges. One challenge was emulator-based new account fraud, when fraudsters successfully used credit card information stolen from the dark web as payment.

With Ping’s help, Gett easily detected attacks by uncovering many devices being used for access attempts. They used data about device changes provided by PingOne Fraud to improve the precision of their custom algorithms in order to more readily uncover these instances.

For more details on how PingOne Fraud helps Gett, read their customer success story.

Unfortunately, emulators are commonplace, and recent developments have led them to be used more often as mobile device fraud continues to grow and evolve worldwide. Traditional fraud detection tools struggle to detect emulated devices, which means a site likely has emulated traffic interspersed with genuine traffic from real devices. However, emulators are vulnerable for the same reasons they are powerful: Since they are not physical devices, they cannot easily provide all of the unique attributes of a physical device.

PingOne Fraud’s behavioral biometrics leverage this vulnerability, relying on hard-to-spoof data points and parameters. Behavioral biometrics makes it exceptionally difficult for emulated devices to pass for physical devices without relying on specific footprints or classical detection methods. Thus, biometric tools are effective against even the most advanced emulation software.

PingOne Fraud detects a wide variety of fraud using behavioral navigation, behavioral biometrics, device attributes, network attributes, and more to detect fraudulent activities other tools miss, without impacting the user experience.

You can set up a demo at your convenience to see how Ping secures employee and customer experiences in a rapidly changing digital world.

Download the PingOne Fraud datasheet and our new online fraud detection white paper to learn more.

Cloudflare, CrowdStrike, and Ping Identity have joined forces to strengthen U.S. cybersecurity. Download the program overview and cybersecurity checklist here, along with the Ping Identity guide here.