- A new Android threat is SpyLoans, a fake loan app that steals data for extortion purposes.
- ESET reports that the SpyLoan app will increase on various platforms in early 2023.
- Fake loan apps primarily target users in Southeast Asia, Africa, and Latin America.
Android users faced similar challenges, initially enduring ridicule from iPhone users over the device’s inferiority complex. They now face a new threat with the arrival of the “SpyLoan” app in app stores.
This year has seen an alarming spike in deceptive Android loan apps identified by ESET researchers. These apps pose as legitimate personal loan services and lure users with promises of quick and easy funding. However, these are designed to cheat users through high interest loans with misleading terms and at the same time collect personal and financial data for extortion purposes. ESET has labeled these apps “SpyLoans” to reflect their dual nature as spyware and loan offering. These apps are spread through social media, SMS, scam websites, third-party app stores, and even Google Play.
ESET discovers proliferation of fake loan apps on Android
ESET alert discovered 18 SpyLoan apps and alerted Google. As a result, Google removed 17 of these apps from its platform.These apps were accumulated 12 million downloads on Google Play before being removed. The remaining app has changed functionality so ESET no longer classifies it as a SpyLoan app.
All SpyLoan apps display the same behavior regardless of where they are downloaded because the underlying code is the same. This means that users will encounter the same risks and features regardless of whether the app is obtained from an unofficial website, a third-party app store, or Google Play.
Operators of these schemes limit their activities to mobile apps and avoid web-based services. The reason behind this is that mobile apps offer more comprehensive access to sensitive data stored on smartphones compared to his web browser, and that access is useful for blackmailers to carry out their extortion plans. Because it is essential.
ESET telemetry data shows that the operators behind these apps resort to extreme measures such as death threats to intimidate, primarily in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, and the Philippines. , it has been revealed that they are active in countries such as Egypt and Kenya. , Nigeria and Singapore. ESET researchers suggest that detections in other countries are likely originating from smartphones linked to phone numbers registered in these regions. There are currently no active campaigns targeting Europe, the US, or Canada.
These services go beyond data theft and blackmail. They are a type of digital loan shark. Victims report that the total annual cost (TAC) on these loans is much higher than advertised, and the repayment terms are much shorter. For example, some borrowers were forced to repay their loans in just 5 days instead of the advertised 91 days, and TACs ranged from 160% to 340%.
The importance of vigilance against financial fraud
ESET researcher Lukaš Štefanko, who played a key role in uncovering these SpyLoan apps, said these malicious apps exploit the trust users place in legitimate loan providers. I am. They use complex methods to trick and extract various personal information.
Stefanko emphasizes the importance of vigilance and verification of financial apps and services. He advises users to trust reliable sources, stay informed and be careful not to fall prey to such fraudulent schemes.
ESET Research tracked the SpyLoan scheme back to its inception in 2020. When a user installs one of the fake loan apps, they are immediately asked to accept terms and conditions and grant extensive permissions to access sensitive data. The app’s privacy policy states that not granting these permissions means the loan will not be processed. To proceed with a loan application, users must provide a wealth of personal information.
In early 2022, ESET notified Google Play of more than 20 malicious loan apps that had accumulated over 9 million total downloads. Following ESET’s intervention, Google removed these apps from its platform. Additionally, security firm Lookout identified 251 Android apps on Google Play and 35 iOS apps on the Apple App Store exhibiting predatory behavior. Lookout has been in contact with Google and Apple about these apps and published a blog post detailing its findings in November 2022.
Before Lookout’s report was released, Google had already removed most of these harmful apps, two of which were removed by their developers. These apps have been downloaded more than 15 million times on Google Play, and Apple has also removed the identified apps from its store.
ESET telemetry data shows that detection of the SpyLoan app has returned since January 2023 and continues to increase across unofficial third-party app stores, Google Play, and various websites. This increase is highlighted in his ESET Threat Report for the first half of 2023.
Google’s 2022 Security Overview outlines the measures the company has taken to protect Android and Google Play users. These measures included the introduction of new regulations for personal loan apps in several regions. Specifically, over the past three years, Google Play has significantly updated its policies for personal loan apps and implemented specific requirements tailored to countries such as India, Indonesia, the Philippines, Nigeria, Kenya, Pakistan, and Thailand. Ta. These targeted policy changes have resulted in the removal of many fake loan apps.
Perpetrators attract victims by promoting these malicious apps through SMS and popular social media platforms such as Twitter, Facebook, and YouTube. By taking advantage of the huge user base of these platforms, scammers target individuals who need money fast.
SpyLoan app impersonation tactics
Another worrying factor, although not a feature of all SpyLoan apps investigated by ESET, is impersonation of reputable loan providers and financial services. This deceptive practice involves misusing the name and brand of an established and legitimate entity. To combat this, several genuine financial services have turned to social media platforms to warn potential victims about these deceptive SpyLoan apps.
Data exposed to command and control (C&C) servers typically includes user account lists, call logs, calendar events, device details, installed apps, local Wi-Fi networks, and even file information on the device. included. Contact lists, location data, and SMS messages are also at risk. The perpetrator encrypts all stolen data before sending it to her C&C server. Although legitimate financial institutions must collect personal information for identity verification and risk assessment, they use far less intrusive data collection methods. ESET Research suggests that the real intention behind the permissions requested by the SpyLoan app is to spy on, harass, and blackmail users. and their contact information.
As Facebook and Google Play reviews point out, once these apps are installed and collect your personal data, they can be used even if you haven’t applied for a loan or aren’t approved for a loan. The app’s enforcers start pressuring the victim to pay.
Stefanko explains: “There are several reasons behind the rapid growth of SpyLoan apps. One is that the developers of these apps are successful FinTechs who leverage technology to provide efficient and user-friendly financial services. It’s about taking inspiration from (financial technology) services.”
The growing threat of fake SpyLoan apps on the Android platform highlights a critical issue in digital security. This situation highlights the importance of vigilance and careful monitoring of loan-related apps, especially for users in the most targeted regions. It is important to stay informed and vigilant to avoid falling victim to these deceptive and harmful schemes.