Android personal loan apps may not have made their presence felt in our country yet, but it's vital to be aware of a worrying global trend: this year, ESET researchers noticed an alarming increase in deceptive Android loan apps, which they present themselves as legitimate personal loan services, promising quick and easy access to funds.
Despite their attractive appearance, these apps are actually designed to trick users by offering them high-interest loans accompanied by misleading descriptions, while at the same time collecting victims' personal and financial information in order to blackmail them.
SpyLoan apps are promoted through social media as well as SMS messages and can be downloaded from various sources such as scam websites, third-party app stores and even the Google Play Store.
ESET is a member of the App Defense Alliance (ADA) and an active partner in the Malware Mitigation Program, which aims to quickly detect Potentially Harmful Applications and stop them before they reach Google Play. As a member of the ADA, ESET identified 18 SpyLoan apps and reported them to Google, which subsequently removed 17 of these apps from its platform. These apps had a total of more than 12 million downloads from Google Play before they were removed. The 18th app has changed its behavior - therefore, due to this change, ESET no longer categorizes it as a SpyLoan app.
Every SpyLoan application, regardless of its origin, behaves identically due to the identical underlying code. It doesn't matter if the download came from a suspicious website, a third-party app store, or even Google Play – users will experience the same features and face the same risks regardless of where they got the app.
According to ESET telemetry, traffickers of these apps, who extort and harass their victims, even with death threats, operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia , Peru, Philippines, Egypt, Kenya, Nigeria and Singapore.
ESET researchers believe that if these apps are detected outside of these countries, then it will be due to smartphones accessing a phone number registered in one of these countries. There are currently no active campaigns targeting European countries, the US or Canada.
These services not only collect data and blackmail, but also practice a form of modern digital usury, which involves charging exorbitant interest rates for loans, taking advantage of vulnerable people. Victims of these apps claim that the total annual cost of the loans is very higher than stated and the duration of the loan is much shorter than stated. In some cases, borrowers were pressured to pay off their loans in five days, instead of the stated 91 days, and the annual cost of a loan was anywhere between 160% and 340%.
"These malicious apps take advantage of the trust users place in legitimate loan companies, using sophisticated techniques to trick people and steal personal information," says ESET researcher Lukáš Štefanko, who detected many of the SpyLoan apps .
"People should pay close attention, verify the legitimacy of any financial application or service and rely on reliable sources," he stresses. "By staying informed and alert, users can better protect themselves and not fall victim," he adds.
ESET Research detected the traces of the SpyLoan ring in 2020. Once a user installs a SpyLoan app, they are asked to accept terms of use and grant access rights to sensitive data stored on the device. According to the privacy policies of these applications, the loan will not be granted without these permissions. Also, in order to complete the loan application process, users are required to provide a lot of personal information.
Data typically transferred to the Command and Control (C&C) server includes items such as the list of user accounts, call logs, calendar events, device information, lists of installed applications, local Wi-Fi network information, Fi, even the information about the device files. In addition, contact lists, location data and SMS messages are also at risk. The perpetrators encrypt all stolen data before sending it to the C&C server to protect their activities.
While legitimate financial institutions have a duty to collect personal information about their customers, identity verification and risk assessment can be done with far less intrusive methods of data collection. ESET Research believes that the real reason these SpyLoan apps ask for data is to spy, harass and blackmail users and their contacts.
After installing such an application and collecting personal data, those in charge of the application begin to pressure their victims to pay, even if – according to the reviews – the user did not apply for a loan or applied but the loan was not approved. Such practices have been reported in reviews of these apps on Facebook and Google Play.
“There are several reasons behind the rapid growth of SpyLoan applications. One of them is that the developers of these applications are inspired by successful FinTech – financial technology – services that leverage technology to provide improved and user-friendly financial services,” explains Štefanko.
For more information on SpyLoan scam applications, see the blog post “Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths".