In the mobile business, we hear the terms virtual machines and emulators a lot.

Are emulators and virtual machines something your fraud teams should worry about? Yes and no—understanding their intended use, and how fraudsters use them, is important to developing a strong fraud prevention strategy.

Virtual Machines and Mobile

Virtualization technology has been around for many years. According to Wikipedia, “In computing, a virtual machine (VM) is an emulation of a particular computer system. Virtual machines operate based on the computer architecture and functions of a real or hypothetical computer, and their implementations may involve specialized hardware, software, or a combination of both.”

Users quickly discovered many different uses for virtualized operating systems. Tech enthusiasts became especially eager to explore Android apps, initially intended for mobile platforms, on their personal computers. One big use case is using virtual machines to run mobile game apps in a desktop environment.

Still, virtual machines do have some limitations. While they can run different operating systems they aren’t able to simulate certain hardware characteristics. Hardware changes can only come from the host PC. For instance, a virtual machine doesn’t simulate a change to orientation or device rotation like a mobile device would unless the host hardware has a rotation sensor.


Emulators are a type of virtual machine. They are generally built on virtualization technology and are used by software engineers to develop and debug apps. What’s unique about them, compared to a virtual machine, is that they can simulate certain mobile hardware characteristics like device rotation. Emulators do not include official proprietary services such as Google Mobile Services (GMS) or Apple’s Siri or Map services.

Virtual Machines and Emulators Are Your Friends

Emulators are very useful for initial app development. Mobile app development teams usually use virtual machines/emulators as part of an overall testing strategy. They are used before deployment to a live environment to test functionality, the user interface and more. Some common emulators are the Android Studio Emulator, XCode Simulator, Ripple and GenyMotion. SourceLab’s cloud/VM solution –based on the open source testing framework

Emulators, Virtual Machines and Fraud

So how do fraudsters take this technology and use it for fraud? One scenario includes creating multiple instances of an application and then using stolen credentials to take over accounts in rapid succession. In another scenario, attackers can run programs in the host environment to perform brute force attacks—specifically to seize credentials for apps running in virtual images. We’ve also detected hackers routing traffic using virtual machines. The primary cost to the attacker for each of these scenarios is just time, CPU and memory.

It is also very easy for an attacker to reverse engineer the ways in which your app manages sensitive data by running it inside a virtual machine.

Emulators/virtual machines are not inherently bad—they have legitimate uses. Like all technology they can be, and are, used by cybercriminals to commit fraud. When it comes to mobile traffic—whether it comes through an app, the web, or a hybrid app, being able to identify when someone is using an emulator or virtual machine is extremely important. We’ve found that the use of either suggests a higher risk for fraud. That’s why it’s imperative to have fraud prevention tools in place that can detect both. It takes sophisticated science and data points to identify virtual machine based transactions—whether it’s through an SDK for apps or web-based fraud tools. You can’t make good decisions about stopping fraud if you don’t have all the facts.

As mobile traffic continues to increase, having the right tools in place to stop fraud will be a vital part of an overall fraud strategy.