The apps solicit sensitive information from users and exfiltrate it into attackers' servers for blackmail. ESET telemetry shows clear growth of these apps in unofficial third-party app stores, Google Play and websites since early 2023
Researchers of ESET, a global European leader in the cybersecurity market, have observed an alarming growth in 2023 in fraudulent Android lending apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds. Despite their attractive appearance, these services are actually designed to defraud users by offering them high-interest loans accompanied by misleading descriptions, all while collecting victims' personal and financial information for blackmail. ESET's systems then recognize these applications with the detection name SpyLoan, which directly refers to their spyware functionality combined with loan requests. SpyLoan apps are spread through social media and SMS messages and are available for download from scam websites, third-party app stores, and even Google Play.
ESET is a member of the App Defense Alliance (ADA) and an active partner in the Malware mitigation program, which aims to quickly identify potentially harmful applications and block them before they land on Google Play. As a member of the ADA, ESET identified 18 SpyLoan applications and reported them to Google, which subsequently removed 17 of them from its platform. These apps had a total of over 12 million downloads from Google Play before their removal. The last app listed has changed its behavior; ESET no longer detects it as a SpyLoan app.
Each instance of a particular SpyLoan app, regardless of origin, behaves identically thanks to a common code base. It doesn't matter if the download comes from a suspicious website, a third-party app store, or even Google Play: users will experience the same features and run the same risks, regardless of where the app comes from.
According to ESET telemetry, the creators of these apps, which blackmail and harass their victims, including with death threats, operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria and Singapore. ESET researchers believe that any detections outside of these countries are linked to smartphones that, for various reasons, have access to a phone number registered in one of these countries. At the moment there are no active campaigns aimed at European countries, the United States or Canada.
In addition to data collection and blackmail, these services present a form of modern digital usury, which refers to the charging of exorbitant interest rates on loans, taking advantage of vulnerable individuals. Victims of these apps report that the total annual cost (CTA) of these loans is much higher than agreed and the duration of the loan is much shorter than agreed. In some cases, borrowers were pressured to repay their loans in five days, instead of the expected 91 days, and the CTA of a loan was between 160% and 340%.
“These fraudulent apps exploit the trust users place in legitimate loan providers, using sophisticated techniques to deceive people and steal a wide range of personal information,” explains Lukáš Štefanko, ESET researcher who discovered many of the SpyLoan applications. “It is vital that individuals exercise caution, validate the authenticity of any financial app or service, and rely on trusted sources. By staying informed and vigilant, users they can better protect themselves from the risk of falling victim to these deceptive schemes,” he adds.
ESET Research reconstructed the origins of the SpyLoan scheme in 2020. Once the user installs a SpyLoan app, they are asked to accept the terms of service and grant broad permissions to access sensitive data stored on the device. According to the privacy policies of these apps, if these permissions are not granted, the loan is not disbursed. To complete the loan application process, users are also forced to provide numerous personal information.
The data that is usually exfiltrated to the Command & Control (C&C) server includes the user's account list, call logs, calendar events, device information, installed app lists, local Wi-Fi network information, and even information about files on the device. Additionally, contact lists, location data, and SMS messages are exposed. To protect their activities, criminals encrypt all stolen data before transmitting it to the C&C server. Although legitimate financial institutions are required to collect personal information about their customers, identity verification and risk assessment can be done using much less invasive data collection methods. ESET Research believes that the true purpose of the permissions requested by SpyLoan apps is to spy on users and blackmail both them and their contacts.
After installing the app and collecting personal data, those responsible for the application begin to pressure victims into making payments, even if, according to reviews, the user has not requested a loan or has requested one but has not been approved. These practices have been described in reviews of these apps on Facebook and Google Play.
"There are several reasons behind the rapid growth of SpyLoan apps. One of them is that the developers of these apps are inspired by successful FinTech (financial technology) services, which leverage technology to provide simplified and easy-to-use financial services," explains Štefanko.
