Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have collectively been downloaded more than 12 million times.
“Despite their attractive appearance, these services are actually designed to defraud users by offering loans at high interest rates backed by deceptive descriptions, all while collecting the personal and financial information of their victims to blackmail them and, ultimately, out of their money,” Esset said.
The Slovak cybersecurity company tracks these applications under this name SpyLoannoting that it is designed to target potential borrowers located in Southeast Asia, Africa and Latin America.
The list of apps that Google has now removed is below –
- AA Kredit: Instant Loan App (com.aa.kredit.android)
- Omar Cash: Loans without an office (com.amorcash.credito.prestamo)
- Golden Loan – Fast Cash (com.app.lo.go)
- Cashwow (com.cashwow.cow.eg)
- CrediBus Credit Loans (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
- Borrow with Confidence – Flash Loan (com.flashloan.wsft)
- Credit Loans – GuayabaCash (com.guayaba.cash.credit.mx.tala)
- Credit Loans-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
- Go Credito – Trustworthy (com.mlo.xango)
- Instant Loan (com.mmp.optima)
- Big Box (com.mxolp.postloan)
- Express Credit (com.okey.prestamo)
- Finupp Lending (com.shuiyiwenhua.gl)
- 4S Cash (com.swefjjghs.weejteop)
- TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
- Easy Cash (king.credit.ng)
- Safe Credit (com.sc.safe.credit)
SMS and social media channels such as Twitter, Facebook and YouTube serve as prominent infection paths, although apps are also available for download from fraudulent websites and third-party app stores.
“None of these services provide an option to request a loan using a website, because through the browser blackmailers cannot access all sensitive user data stored on the smartphone and required for blackmail,” said ESET security researcher Lukáš Štefanko.
The apps are part of a broader scheme dating back to 2020, and add to a group of more than 300 Android and iOS apps uncovered by Kaspersky, Lookout and Zimperium last year that exploited “victims’ desire for quick cash to entrap borrowers.” In predatory loan contracts and demanding that they grant access to sensitive information such as contacts and SMS messages.
Besides collecting information from compromised devices, SpyLoan operators have also been observed resorting to blackmail and harassment tactics to pressure victims into paying amounts by threatening to post their photos and videos on social media platforms.
In one message identified by The Hacker News and posted to the Google Play Help community earlier in February, a user from Nigeria criticized EasyCash for “granting fraudulent loans to its victims with exorbitant high interest rates and forcing them to pay using extortion-related threats.” Defamation and character assassination when it is clear that they have the debtor’s address and full government name including Bank Identification Number (BVN), but they still embarrass people and put them under unnecessary stress and panic.
Furthermore, apps use misleading privacy policies to explain why they need permissions to users’ media files, camera, calendar, contacts, call logs, and SMS. Some of the applications also included a link to fake websites, filled with images of stolen office environments and stock images, in an attempt to legitimize their operations.
To mitigate the risks posed by these spyware threats, it is advised to stick to official sources for downloading applications, verify the authenticity of these offers, as well as pay close attention to reviews and permissions before installing.
Stefanko said SpyLoan serves as “an important reminder of the risks borrowers face when seeking financial services online.” “These malicious apps exploit users’ trust in legitimate loan providers, using sophisticated techniques to deceive and steal a very wide range of personal information.”
The development also comes on the heels of the emergence of an Android banking Trojan dubbed TrickMo that masquerades as a free mobile streaming app and comes with upgraded capabilities, such as screen content hijacking, downloading runtime modules, and overlay injection to extract credentials from targeted apps. In addition to using JsonPacker to hide its malicious code.
“The malware’s move to overlay attacks, its use of JsonPacker to obfuscate code, and its consistent behavior with the command-and-control server highlight the threat actor’s dedication to improving their strategies,” Seibel said in an analysis last week.
In recent news, it has been revealed that 18 malicious loan apps have been targeting and scamming millions of Android users. These apps have been designed to entice users with promises of quick and easy loans, only to steal their personal and financial information. The scale of this scam is alarming, with millions of users falling victim to these fraudulent practices. It serves as a reminder of the importance of being vigilant when downloading and using financial apps, as well as the need for stronger measures to protect consumers from such malicious schemes.