There have been reports of several Android loan apps that pretended to offer loan services and easy access to funds, which turned out to be malicious apps collecting personal and financial information from victims.
These apps are identified as “SpyLoan” apps because they collect sensitive information about users and use it to extort money. More than 17 apps available on Google Play were detected, reported and subsequently removed.
According to the reviews on these apps, the owners of these apps were harassing customers even if the loan was not provided to the users. The targeted users of these applications are located in Southeast Asia, Africa, and Latin America.
These applications were distributed to victims via social media, SMS, and fraudulent websites. It is important to note that all these applications have the same behavior and functionality.
The operators of these apps were mainly from Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, Philippines, Egypt, Kenya, Nigeria and Singapore.
Harmful loan apps for Android
Once these apps are installed on the victim’s device, they are asked to accept the terms of service and are asked to provide a lot of permissions on the device. These permissions allow users to access sensitive information on the device. Mobile number registration is also done to confirm the user’s country of residence.
To complete the loan application process, users have to provide personal information such as contact information, address details, proof of income, bank account information and selfie confirmations.
Along with this information, these apps also collect list of accounts, call logs, calendar events, device information, list of installed apps, local Wi-Fi network information, and other EXIF metadata for images and photographs on the device.
Data extraction and working method
This collected information is then transmitted to the C&C server using several techniques such as code obfuscation, encrypted strings, and encrypted communication between the C2 server and the device.
However, Google updated its policies on Google Play in May 2023, which prevented apps from requesting access to sensitive information such as photos, videos, contacts, phone numbers, location, and storage access.
Although this policy prevented many apps from entering Google Play, existing apps still had all these permissions provided.
Moreover, victims of these apps are threatened to extort more money from the app operators. These types of applications have specifically affected vulnerable individuals in desperate need of money and borrowers who have limited access to legitimate financial institutions.
A full report on these types of malicious extortion apps has been published, providing detailed information about the source code, processes, etc.
Settlement indicators
Files
| SHA-1 | file name | a statement | a description |
| 136067AC519C23EF7B9E8EB788D1F5366CCC5045 | com.aa.kredit.android.apk | Android/SpyLoan.AN | SpyLoan malware. |
| C0A6755FF0CCA3F13E3C9980D68B77A835B15E89 | com.amorcash.credito.prestamo.apk | Android/SpyLoan.BE | SpyLoan malware. |
| 0951252E7052AB86208B4F42EB61FC40CA8A6E29 | com.app.lo.go.apk | Android/Spy.Agent.CMO | SpyLoan malware. |
| B4B43FD2E15FF54F8954BAC6EA69634701A96B96 | com.cashwow.cow.eg.apk | android/spy.Agent.EY | SpyLoan malware. |
| D5104BB07965963B1B08731E22F00A5227C82AF5 | com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash.apk | Android/Spy.Agent.CLK | SpyLoan malware. |
| F79D612398C1948DDC8C757F9892EFBE3D3F585D | com.flashloan.wsft.apk | Android/Spy.Agent.CNB | SpyLoan malware. |
| C0D56B3A31F46A7C54C54ABEE0B0BBCE93B98BBC | com.guava.cash.credit.mx.look.apk | Android/Spy.Agent.CLK | SpyLoan malware. |
| E5AC364C1C9F93599DE0F0ADC2CF9454F9FF1534 | com.loan.cash.credit.tala.prestmo.fast.branch.mextamo.apk | Android/SpyLoan.NO | SpyLoan malware. |
| 9C430EBA0E50BD1395BB2E0D9DDED9A789138B46 | com.mlo.xango.apk | Android/Spy.Agent.CNA | SpyLoan malware. |
| 6DC453125C90E3FA53988288317E303038DB3AC6 | com.mmp.optima.apk | Android/Spy.Agent.CQX | SpyLoan malware. |
| 532D17F8F78FAB9DB953970E22910D17C14DDC75 | com.mxolp.postloan.apk | Android/Spy.KreditSpy.E | SpyLoan malware. |
| 720127B1920BA8508D0BBEBEA66C70EF0A4CBC37 | com.okey.prestamo.apk | Android/Spy.Agent.CNA | SpyLoan malware. |
| 2010B9D4471BC5D38CD98241A0AB1B5B40841D18 | com.shuiyiwenhua.gl.apk | Android/Spy.KreditSpy.C | SpyLoan malware. |
| 892CF1A5921D34F699691A67292C1C1FB36B45A8 | com.swefjjghs.weejteop.apk | Android/SpyLoan.EW | SpyLoan malware. |
| 690375AE4B7D5D425A881893D0D34BB63462DBBF | com.truenaira.cashloan.moneycredit.apk | Android/SpyLoan.FA | SpyLoan malware. |
| 1F01654928FC966334D658244F27215DB00BE097 | King.credit.ng.apk | Android/SpyLoan.AH | SpyLoan malware. |
| DF38021A7B0B162FA661DB9D390F038F6DC08F72 | om.sc.safe.credit.apk | Android/Spy.Agent.CME | SpyLoan malware. |
network
| specialization | Hosting provider | The first vision | details |
| pss. aakredit[.]in | Amazon.com, Inc. | 03-27-2023 | Command and control server. |
| www.guayabacash[.]com | Amazon.com, Inc. | 2021-10-17 | Command and control server. |
| For example, easycredit[.]com | Amazon.com, Inc. | 2022-11-26 | Command and control server. |
| ag. ahymvoxxg[.]com | Huawei clouds | 05-28-2022 | Command and control server. |
| hwpamjvk.whcashph[.]com | Alibaba (USA) Technology Co., Ltd | 01-22-2020 | Command and control server. |
| qt.qtzhreop[.]com | Alibaba (USA) Technology Co., Ltd | 03-22-2022 | Command and control server. |
| bhvbhgvh[.]space | Alibaba (USA) Technology Co., Ltd | 2021-10-26 | Command and control server. |
| la6gd. cashshow[.]The club | Alibaba (USA) Technology Co., Ltd | 2022-10-28 | Command and control server. |
| mpx. mpxoptim[.]com | Alibaba (USA) Technology Co., Ltd | 04-24-2023 | Command and control server. |
| oy. oyeqctus[.]com | iCloud-USA | 01-27-2023 | Command and control server. |
| iu.iuuaufbt[.]com | Alibaba (USA) Technology Co., Ltd | 2022-03-01 | Command and control server. |
| kk.softheartlend2[.]com | IRT-HIPL-SG | 01-28-2023 | Command and control server. |
| www.credibusco[.]com | Amazon.com, Inc. | 03-26-2022 | Command and control server. |
| cy. amorcash[.]com | Cloudflare Company | 01-24-2023 | Command and control server. |
| api.yumicash[.]com | Huawei clouds | 2020-12-17 | Command and control server. |
| app. trueenaira[.]a company | IRT-UCLOUD-Hong Kong | 2021-10-18 | Command and control server. |
| apitai. coccash[.]com | Cloudflare Company | 2021-10-21 | Command and control server. |