Researchers at ESET have reported a concerning surge in deceptive Android loan apps, known as SpyLoan, designed to defraud users by offering high-interest-rate loans while collecting personal and financial information for potential blackmail.

Marketed through social media, SMS messages, and available on various platforms including Google Play, these apps have gained over 12 million downloads before ESET, a member of the App Defense Alliance, identified and reported 18 SpyLoan apps to Google, resulting in the removal of 17 from the platform.

Key Findings

• SpyLoan Functionality: SpyLoan apps present themselves as legitimate personal loan services, enticing users with quick access to funds. However, they collect personal and financial information to blackmail victims. ESET products detect these apps as SpyLoan due to their spyware functionality combined with loan claims.
• Global Impact: While primarily affecting users in countries like Mexico, Indonesia, Thailand, and more, the identical underlying code ensures users face the same risks globally, irrespective of the source of the app.
• Enforcement Geography: Perpetrators, known to resort to death threats, operate mainly in countries like Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore. No active campaigns targeting European countries, the USA, or Canada have been identified.
• Usurious Practices: Beyond data harvesting and blackmail, these services engage in digital usury, charging excessive interest rates on loans, exploiting vulnerable individuals. Victims report higher total annual costs (TAC) and shorter loan tenures than initially stated.

“These malicious applications exploit the trust that users place in legitimate loan providers, using sophisticated techniques to deceive people and steal a very wide range of personal information. It is crucial for individuals to exercise caution, validate the authenticity of any financial app or service, and rely on trusted sources,” said Lukáš Štefanko, Researcher at ESET.

“There are several reasons behind the rapid growth of SpyLoan apps. One is that the developers of these apps take inspiration from successful FinTech — financial technology — services, which leverage technology to provide streamlined and user-friendly financial services,” he added.

SpyLoan Scheme Origins and Modus Operandi

Origin: Traced back to 2020, SpyLoan apps prompt users to accept terms of service and grant extensive permissions to access sensitive data on the device. If not granted, the loan is not provided. Personal information is compelled from users to complete the loan application process.

Data Exfiltration: Stolen data includes the user’s accounts, call logs, calendar events, device information, installed apps, Wi-Fi network details, files on the device, contact lists, location data, and SMS messages. The encrypted data is transmitted to the Command and Control server.

Harassment and Blackmail: The app’s enforcers pressure victims into making payments, even if the user didn’t apply for a loan or if the loan wasn’t approved. The real purpose of the permissions requested appears to be spying on users and engaging in harassment and blackmail.

Precautions for Users

ESET advises users to exercise caution, validate the authenticity of financial apps, and rely on trusted sources to protect themselves from falling victim to such deceptive schemes.

Stay informed, stay cautious, and protect your personal information against emerging threats.