Since the beginning of 2023, ESET researchers have observed an alarming growth of deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds. Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims’ personal and financial information to blackmail them, and in the end gain their funds. ESET products therefore recognize these apps using the detection name SpyLoan, which directly refers to their spyware functionality combined with loan claims. Key points of the blogpost: Apps analyzed by ESET researchers request various sensitive information from their users and exfiltrate it to the attackers’ servers. This data is then used to harass and blackmail users of these apps and, according to user reviews, even if a loan was not provided. ESET telemetry shows a discernible growth in these apps across unofficial third-party app stores, Google Play, and websites since the beginning of 2023. Malicious loan apps focus on potential borrowers based in Southeast Asia, Africa, and Latin America. All of these services operate only via mobile apps, since the attackers can’t access all sensitive user data that is stored on the victim’s smartphone through browsers.
Overview ESET is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play.
All of the SpyLoan apps that are described in this blogpost and mentioned in the IoCs section are marketed through social media and SMS messages, and available to download from dedicated scam websites and third-party app stores. All of these apps were also available on Google Play. As a Google App Defense Alliance partner, ESET identified 18 SpyLoan apps and reported them to Google, who subsequently removed 17 of these apps from their platform. Before their removal, these apps had a total of more than 12 million downloads from Google Play. The last app identified by ESET is still available on Google Play – however, since its developers changed its permissions and functionality, we no longer detect it as a SpyLoan app. It is important to note that every instance of a particular SpyLoan app, regardless of its source, behaves identically due to its identical underlying code. Simply put, if users download a specific app, they’re going to experience the same functions and face the same risks, regardless of where they got the app. It doesn’t matter if the download came from a suspicious website, a third-party app store, or even Google Play – the app’s behavior will be the same in all cases. None of these services provide an option to request a loan using a website, since through a browser the extortionists can’t access all sensitive user data that is stored on a smartphone and is needed for blackmailing. In this blogpost, we describe the mechanism of SpyLoan apps and the various deceptive techniques they use to bypass Google Play policies and mislead and defraud users. We also share steps victims can take if they have fallen for this scam and several recommendations about how to distinguish between malicious and legitimate loan apps so that potential borrowers can protect themselves. Victimology According to ESET telemetry, the enforcers of these apps operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore (see map in Figure 2). All these countries have various laws that govern private loans – not only their rates but also their communication transparency; however, we don’t know how successfully they are enforced. We believe that any detections outside of these countries are related to smartphones that have, for various reasons, access to a phone number registered in one of these countries. At the time of writing, we haven’t seen an active campaign targeting European countries, the USA, or Canada.
Technical analysis Initial access ESET Research has traced the origins of the SpyLoan scheme back to 2020. At that time, such apps presented only isolated cases that didn’t catch the attention of researchers; however, the presence of malicious loan apps kept growing and ultimately, we started to spot them on Google Play, the Apple App Store, and on dedicated scam websites. Screenshots of one such example are shown in
and
. At the beginning of 2022, ESET reached out to Google Play to notify the platform about more than 20 malicious loan apps that had over 9 million collective downloads. After our intervention, the company deleted these apps from its platform. Security company Lookout identified 251 Android apps on Google Play and 35 iOS apps on the Apple App Store that exhibited predatory behavior. According to Lookout, they had been in contact with Google and Apple regarding the identified apps and in November 2022 published a blogpost about these apps. Google already identified and took down the majority of the malicious loan apps ahead of Lookout’s research publication, with two of the identified apps being removed from Google Play by the developer. Collectively these apps across Google Play had over 15 million downloads; Apple also took down the identified apps. According to ESET telemetry, SpyLoan detections started to rise again in January 2023 and have continued to grow since then even more across unofficial third-party app stores, Google Play, and websites; we outlined this growth in the ESET Threat Report H1 2023. In their 2022 security summary, Google described how the company kept Android and Google Play users safe by rolling out new requirements for personal loan apps in several regions. As documented, over the past three years, the situation has evolved and Google Play has made several changes to its personal loan app policies – with country-specific requirements in India, Indonesia, Philippines, Nigeria, Kenya, Pakistan, and Thailand – and has unpublished many malicious loan apps. To lure victims, the perpetrators actively promote these malicious apps with SMS messages and on popular social media channels such as Twitter, Facebook, and YouTube. By leveraging this immense user base, the scammers aim to attract unsuspecting victims who are in need of financial assistance. Although this scheme is not utilized in every SpyLoan app we analyzed, another alarming aspect of some SpyLoan apps is the impersonation of reputable loan providers and financial services by misusing the names and branding of legitimate entities. To help raise awareness among potential victims, some legitimate financial services even have warned about SpyLoan apps on social media, as can be seen in
. Toolset Once a user installs a SpyLoan app, they are prompted to accept the terms of service and grant extensive permissions to access sensitive data stored on the device. Subsequently, the app requests user registration, typically accomplished through SMS one-time password verification to validate the victim’s phone number. These registration forms automatically select the country code based on the country code from the victim’s phone number, ensuring that only individuals with phone numbers registered in the targeted country can create an account, as seen in
. After successful phone number verification, users gain access to the loan application feature within the app. To complete the loan application process, users are compelled to provide extensive personal information, including address details, contact information, proof of income, banking account information, and even to upload photos of the front and back sides of their identification cards, and a selfie, as depicted in
. SpyLoan apps pose a significant threat by stealthily extracting a wide range of personal information from unsuspecting users – these apps are capable of sending sensitive data to their command and control (C&C) servers. The data that is usually exfiltrated includes the list…