Emulating human behavior on mobile devices: swipes, taps, gestures

[Good Carder]

From carder to carders. Antifraud systems on mobile platforms are no longer static. They no longer simply check your IMEI and Android ID — they analyze how you interact with the screen, how fast you scroll, how you hold the phone, and how uneven your gestures are. If you do all of this perfectly, you're screwed.

Static ID substitution is no longer enough. Financial apps today analyze hundreds of signals: the unique swipe curve of each finger, micro-friction, vibrations, random errors, and even pressure. In this article, I'll show you the real deal — how to make your emulator move and touch like a real person, not a robot.

Part 1. The Perfect Straight Line – A Red Flag for Mobile Antifraud​

Modern mobile banking apps have long gone beyond password verification. They monitor how you hold your phone, how you swipe your finger across the screen, how hard you press, and even how much your swipe deviates from a straight mechanical line. Mobile antifraud systems are no longer simply checking IMEI and permissions. They are a comprehensive AI analysis of hundreds of behavioral signals.

What parameters are currently being targeted by mobile antifraud systems?

• Swipe speed and smoothness. A human will never draw a perfectly straight line. Their finger will wiggle slightly, speed up, and slow down. A bot draws perfectly smooth, linear movements — an instant red flag.
• Touch trajectory (Curve and Overshoot). A real finger doesn't always hit the exact center of an element; sometimes it misses by a millimeter and is corrected. The bot clicks with perfect pixel coordinate accuracy.
• Dwell time. Tapping the screen takes a human 50–200 milliseconds, and this value is not constant. A bot always taps at the same interval.
• Microcorrections and random noise. Behavioral biometrics detect the natural "tremor" (shaking) of the finger while holding it. The robot either freezes or vibrates at an unnatural frequency, which is easily detected by AI algorithms.
• Touch Size. A real finger leaves a variable-sized spot on the screen (the harder the pressure, the larger the area). A bot's touch size is either static or absent altogether.
• Scrolling speed and randomness. A human reads a news feed unevenly: sometimes they pause, sometimes they swipe up sharply, or change their rhythm. A bot scrolls the feed at a mechanical, constant speed.
• Phone tilt angle and gyroscope data. In 2026, major banks are testing the ability to detect gestures and even moods based on how a customer holds their phone. Fractional changes in tilt angle will become a key factor in continuous authentication.

The Herodotus banking Trojan (discovered in 2025) has already proven that behavioral analysis works: its authors deliberately implemented natural delays and random gestures to evade detection, and are still actively developing it.

Part 2. Live Touch Recording: Transforming Real-Life Movements into a Standard​

The most reliable way to train a bot to behave like a human is to first record a real person's movements, then analyze and reconstruct them. No need to reinvent the wheel.

2.1. Recording via adb shell getevent​

The getevent utility is a built-in Android program that displays all touchscreen events at the lowest level. It operates in real time, outputting a raw data stream with coordinates, time, and event type.

The basic capture syntax is:

adb shell getevent -t /dev/input/event4 > touch_events.txt

The main types of events that interest us are:

• ABS_MT_TRACKING_ID — number of the active finger on the screen (multi-touch).
• ABS_MT_POSITION_X / ABS_MT_POSITION_Y — touch coordinates.
• ABS_MT_TOUCH_MAJOR — approximate diameter of the touch area (simulating the area of a finger).
• BTN_TOUCH — touch state (down/up).

The getevent utility outputs events in hexadecimal format. A key automation trick is converting these raw logs into dumps, which can then be fed back via sendevent or specialized bash scripts.

2.2. Building a "behavioral template"​

After you've recorded 10-20 swiping and tapping sessions from a real person, you need to identify the unique "handwriting" of their fingers:

• Speed variability. Minimum, average, and maximum scroll speed.
• Error statistics. The number of finger "misses" (spots outside the buttons).
• The amplitude of natural noise. How much the finger shakes when static.
• The rhythm of touching the keyboard (slow, chaotic input versus instant, robotic).

All this creates a unique “digital signature” of a living person, which is very difficult for an emulator to reproduce without prior analysis.

Part 3. Substituting sensor data at the system level (Xposed, LSPosed)​

Deep emulation is based on substituting system calls that return touch coordinates, pressure, and swipe velocity. This is where Xposed and its modern forks come into play.

3.1. MotionEvent Interception Architecture​

The LSPosed library (the successor to the classic Xposed) is your main ally. It injects code into a system process and intercepts method calls to android.view.MotionEvent — the base class for all touch events. The main methods to intercept are:

Target method	Data for substitution
getX(), getY()	Current touch coordinates with noise
getRawX(), getRawY()	Absolute screen coordinates
getPressure()	Screen pressure (0–1)
getSize()	Touch area (finger size)
getEventTime()	Event timestamp
getHistoricalX() / getHistoricalY()	Coordinate history (allows you to insert old real trajectories)

By changing the values of these methods, you trick the application into thinking that the user's finger is moving along a pre-recorded or mathematically generated "human" curve.

3.2. Advanced Sensor Spoofing Modules​

SpoofMyDevice (updated in 2026), in addition to spoofing IMEI, Android ID, and MAC address, also focuses on modifying data returned by sensors, including touch and pressure parameters. Using it on a custom rooted emulator, you can:

• Dynamically change the touch area (getSize), simulating a real physical touch.
• Generate random finger "misses" of 3-10 pixels to avoid hitting the perfect center of the buttons.
• Mix real motion tracks recorded earlier with current simulated coordinates, creating the effect of natural habit.

3.3. Speeding Up Gesture Handling: W3C Actions and a Systems Approach​

Mobile antifraud systems often expect users to perform multi-touch gestures (such as pinch-to-zoom) in a fluid, rather than instantaneous, manner. To emulate complex gestures, it's helpful to know about the W3C Actions API — an automation standard that allows for multi-touch, multi-level interactions with the screen, simulating the chaotic nature of human touch.

Part 4. Gesture Emulation via Appium and Creating Bot Farms​

Mass scaling (bot farms with dozens or hundreds of profiles) requires standardization without sacrificing natural flow. This is where automation frameworks like Appium come in.

4.1. Incorporating "Human Imperfections" into Appium​

Appium's main problem is that its default gestures are too perfect and geometrically straight. In 2026, the challenge has become less about making the emulator swipe, and more about introducing human inaccuracy into those swipes.

Advanced configurations use the W3C Actions API to construct "jaggy" curves, add random delays, and slightly offset touch points. The main techniques described in the industry are:

• Randomized delays. Not 500 ms, but 483, 521, 496 ms.
• Tap coordinate offset. If a bot always taps the center of an element (x=500, y=300), the antifraud algorithm detects this bot within a few iterations. An offset of 10–15 pixels makes the hit more realistic.
• Overshoot emulation. A perfect swipe lands precisely on the desired element. People often scroll a little further and then back up a few millimeters.
• Random zoom emulation. Instead of a perfect parallel pinch, W3C Actions can generate touch curves with variable distances between points.

For reverse engineering mobile cases, it's useful to use tools like WebDriverAgent, which generate GET /wda/touch_performance to retrieve metrics that can then be fed into Xposed module system calls.

Part 5. Bypassing detection: "You have to be a little imprecise"​

Modern antibot systems on mobile platforms look for anomalies in the device itself (emulator, root), but also actively implement behavioral analysis patterns (Behavioral Biometrics) from giants such as BioCatch, BehavioSec, and NuData.

5.1. Key banking app triggers to consider​

• Sensor emulation at a non-zero level. A complete lack of data from the gyroscope or accelerometer while moving is a death sentence for the emulator.
• Perfect click timing. Bots always click the button at the same interval. Even minor variations (a 10-20 millisecond range) are critical.
• No random scrolling. A real user sometimes loses a line while reading and scrolls back. A bot does this rarely or with perfect rhythm.

Bypassing these triggers requires a comprehensive approach. The emulator must collect real sensor data, not invent it on the fly. The best strategy for 2026 is to have a private pool of real devices from which movements are recorded and then transferred to the LSPosed module. This creates the illusion that a real person, not a bot, is "sitting" the physical phone.

Part 6. OPSEC and Building Your Own Bot Farm​

Building a farm of real Android devices, controlled via OpenSTF, allows you to solve the emulator detection problem once and for all.

• Each device is its own "finger." You assign each physical phone a unique behavioral macro-script, collected from another real user. This eliminates mass behavioral culling.
• Automated finger rotation. The Appium-powered truss switches between motion profiles, randomly selecting trajectories.
• Antifraud tests. Periodically check your scripts using liveness analysis services (like Pixelscan, but for mobile sensors) to ensure no parameters are leaking.

Part 7. A Comprehensive Checklist for Setting Up Mobile Carding​

• Live touch recording. We used adb getevent to collect 30–50 unique motion files.
• Preparing LSPosed. Install LSPosed on the target emulator and activate the sensor spoofing module.
• Appium setup. We implemented randomized delays, coordinate offsets, and overshoot simulation into the script.
• Proxy masking. Each device in the farm uses its own residential proxy, unique to its virtual profile.
• Detection test. We ran a test session through the bank's app, logging all movement parameters and correcting errors.
• Behavioral control. The script randomly changes the pressure and area of the press in each transaction.

Summary​

2026 for mobile carding isn't a battle of computing power. It's a battle of "handwriting" and variability. Antifraud systems no longer check you once upon login. They monitor your every tap, swipe, and scroll throughout your entire session. They record perfectly straight lines, instantaneous clicks, and the absence of random movements.

If your bot always hits the center of the button, doesn't change the scroll speed, and doesn't make micro-adjustments, you've already been exposed. The only way to stay in the game is to make your swipes and taps lively, uneven, and unpredictable. In 2026, the winner isn't the one with the fastest bot, but the one with the best bot at impersonating a human.

A quick one-line reminder:
"A smooth, perfect swipe trajectory is like a killer leaving fingerprints." Xposed spoofs coordinates, Appium makes gestures come alive, and Micro-tremor makes a bot "fearful" like a real person. In 2026, a robot's mask must hide a million imperfections. Otherwise, antifraud software will find you".