Emulator

Generally, emulators are software tools that create a virtual environment to imitate the behavior and functionality of other physical mobile devices. In the context of remote identity verification security, threat actors can exploit emulators for malicious purposes. Specifically, attackers use emulators to mimic mobile devices, posing as genuine users to bypass security measures. This allows them to simulate the characteristics of various devices or platforms without needing to purchase real hardware. 

When targeting remote identity verification systems, emulators are often employed to conceal the use of virtual cameras (software that simulates a physical webcam) and enable attackers to disguise their true device source. This combination of emulators and virtual cameras helps bad actors launch sophisticated attacks from a computer while appearing to originate from a mobile device. Not all virtual cameras or emulators are malicious, but using emulators to conceal the existence of virtual cameras is usually malicious.

Critically, bad actors require emulators to carry out certain attack types on mobile, that in practice could only be done on computers (largely due to processing power differences) – for example, face swaps. Emulators are attractive to fraudsters because they obscure information and true device source (such as a desktop posing as a cell phone). These factors combine to create very sophisticated attack vectors, making it more difficult for some remote identity verification providers to detect identity fraud.

It’s also easier to run large-scale attacks from a larger desktop screen instead of from a mobile device. Additionally, emulators make it more difficult to examine device information (metadata) – so attackers use device emulators to spoof metadata for an authorized user’s trusted device. Therefore, effective attack detection today must analyze metadata in context with other information about an individual.

Example emulator flow: to cover their tracks and make the attempt to look less suspicious, a bad actor streams a face swap created by a generative AI tool from their computer to a verification platform and emulates a mobile phone. The recipient will see that this simply looks like a person verifying their identity using their phone. The face swap video is fed into the emulated mobile device environment via a virtual camera and transmitted as if coming from a smartphone’s camera. This facilitates digital injection attacks that can circumvent identity verification checks and other anti-spoofing measures used in remote identity verification.

The use of emulators has increased significantly, with iProov analysts witnessing emulators for both Android and iOS being widely abused by threat actors –  increasing 353% in the second half of 2023 over the first half.

Read the iProov 2024 Threat Intelligence Report for more information on emulators, threats to remote identity verification systems, and how to combat them.