Android users, beware of fake loan apps – because they will spy on you

• Android’s new threat is fake loan apps, SpyLoans, which steal data for blackmail.
• ESET reports a rise in SpyLoan apps across various platforms in early 2023.
• Fake loan apps predominantly target Southeast Asian, African, and Latin American users.

Android users have faced their share of challenges, initially enduring mockery from iPhone users over perceived inferiorities in their devices. Now, they’re grappling with a new threat: the emergence of ‘SpyLoan’ apps in the app store.

This year has seen a worrying surge in deceptive Android loan apps, identified by ESET researchers. These apps masquerade as legitimate personal loan services, luring users with the promise of quick, easy funds. However, they’re designed to trick users through high-interest loans on misleading terms, while simultaneously harvesting personal and financial data for blackmail. ESET has labeled these apps ‘SpyLoans,’ reflecting their dual nature as both spyware and loan offers. These apps are disseminated via social media, SMS, scam websites, third-party app stores, and even Google Play.

ESET uncovers surge in fake loan apps on Android

ESET’s vigilance led to the discovery of 18 SpyLoan apps, prompting them to alert Google. As a result, Google removed 17 of these apps from their platform. These apps had amassed over 12 million downloads on Google Play before being taken down. The remaining app altered its functionality, leading ESET to no longer classify it as a SpyLoan app.

Every SpyLoan app displays the same behavior regardless of where it is downloaded due to its identical underlying code. That means users encounter the same risks and features, whether the app is obtained from an unofficial website, a third-party app store, or Google Play.

The operators of these schemes restrict their activities to mobile apps, steering clear of web-based services. The reason behind this is that mobile apps offer more comprehensive access to the sensitive data stored on smartphones compared to web browsers, and that access is crucial for extortionists to execute their blackmail schemes.

ESET’s telemetry data reveals that the operators behind these apps, who resort to extreme measures like death threats for blackmail, are predominantly active in countries including Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore. ESET researchers suggest that detections in other countries likely stem from smartphones linked to phone numbers registered in these regions. No active campaigns are currently targeting Europe, the USA, or Canada.

These services go beyond data theft and blackmail; they’re a form of digital usury. Victims report that these loans’ total annual cost (TAC) is far higher than advertised, and repayment periods are drastically shorter. For instance, some borrowers were coerced into repaying loans in just five days, rather than the advertised 91 days, with TACs ranging from 160% to 340%.

The importance of vigilance against financial scams

Lukáš Štefanko, an ESET researcher who was vital in uncovering these SpyLoan apps, points out that these malicious apps exploit the trust users place in legitimate loan providers. They use intricate methods to deceive and extract various personal information.

Štefanko stresses the importance of vigilance and verification of financial apps and services. He advises users to rely on trustworthy sources, remain informed, and exercise caution to avoid falling prey to such fraudulent schemes.

ESET Research has traced the SpyLoan scheme back to its inception in 2020. When users install one of the fake loan apps, they’re immediately asked to agree to the terms of service and grant broad permissions to access their sensitive data. The apps’ privacy policies stipulate that failing to grant these permissions means the loan won’t be processed. Users must supply a wealth of personal information to proceed with the loan application.

In early 2022, ESET informed Google Play about over 20 malicious loan apps that had collectively amassed over 9 million downloads. Following ESET’s intervention, Google removed these apps from its platform. Additionally, the security firm Lookout identified 251 Android apps on Google Play and 35 iOS apps on the Apple App Store exhibiting predatory behaviors. Lookout communicated with Google and Apple about these apps and published a blog post detailing their findings in November 2022.

Before Lookout’s report was released, Google had already removed most of these harmful apps, with two being withdrawn by the developers. These apps had been downloaded over 15 million times on Google Play, and Apple also removed the identified apps from its store.

ESET’s telemetry data shows a resurgence in SpyLoan app detections starting in January 2023, which continued to increase across unofficial third-party app stores, Google Play, and various websites. This uptick was highlighted in ESET’s Threat Report for the first half of 2023.

Google’s 2022 security summary outlined measures the company implemented to protect Android and Google Play users. These measures included the introduction of new regulations for personal loan apps in several regions. Specifically, over the past three years, Google Play has significantly updated its policies on personal loan apps, implementing specific requirements tailored to countries such as India, Indonesia, the Philippines, Nigeria, Kenya, Pakistan, and Thailand. These targeted policy changes led to the removal of many fake loan apps.

Perpetrators promote these malicious apps through SMS and on popular social media platforms, including Twitter, Facebook, and YouTube, to attract victims. By tapping into these platforms’ vast user bases, the scammers target individuals who need money in a hurry.

Impersonation tactics in SpyLoan apps

While not a feature of every SpyLoan app examined by ESET, another worrying element is the impersonation of reputable loan providers and financial services. This deceptive practice involves misusing the names and branding of established, legitimate entities. To combat this, several authentic financial services have turned to social media platforms to alert potential victims about these deceptive SpyLoan apps.

The data exfiltrated to the Command and Control (C&C) server typically includes the user’s account list, call logs, calendar events, device details, installed apps, local Wi-Fi networks, and even file information on the device. Contact lists, location data, and SMS messages are also at risk. The perpetrators encrypt all stolen data before sending it to the C&C server. While legitimate financial institutions must collect personal information for identity verification and risk assessment, they use far less intrusive data collection methods. ESET Research suggests the true intent behind the permissions requested by SpyLoan apps is to spy on, harass, and blackmail users – and their contacts.

Once such an app is installed and personal data is harvested, the app’s enforcers begin pressuring victims to make payments, even if users didn’t apply for a loan or were not approved for one, as noted in reviews on Facebook and Google Play.

Štefanko explains, “There are several reasons behind the rapid growth of SpyLoan apps. One is that the developers of these apps take inspiration from successful FinTech — financial technology — services, which leverage technology to provide streamlined and user-friendly financial services.”

The rising threat of fake SpyLoan apps on Android platforms highlights a critical issue in digital security. This situation underscores the importance of vigilance and careful scrutiny of loan-related apps, especially for users in the most targeted regions. Staying informed and cautious is key to avoiding falling victim to these deceptive and harmful schemes.

---

---

---

---