Security researchers at McAfee Labs have identified 15 malicious Android apps that contain malware known as ‘SpyLoan’.
These apps have been downloaded over 8 million times from the Google Play Store.
These predatory loan apps disguise themselves as legitimate financial services, luring unsuspecting users into downloading them.
They are targeting users primarily in South America, Southeast Asia, and Africa, with some of them being promoted through deceptive social media advertising.
“These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which can lead to extortion, harassment, and financial loss,” security researcher Fernando Ruiz wrote in a blog post published last week.
According to the security software company, the 15 SpyLoan apps operate using a shared framework designed to encrypt and exfiltrate sensitive data from a victim’s device to a command and control (C2) server, indicating that the same developer or group of cybercriminals is behind all of them.
SpyLoan apps masquerade as legitimate loan providers under deceptive names and logos, creating a false sense of trust.
These apps pose as genuine loan services, promising instant credit with minimal requirements to unsuspecting users in Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru, and Chile.
Once a user registers for the service, these apps use a one-time password (OTP) to ensure they have a phone number from the targeted region.
The users are then prompted to provide supplementary identification documents and personal information, banking accounts, employee information, and device data that are subsequently exfiltrated from the victims to the C2 server in an encrypted format.
However, these apps secretly collect sensitive data, including contacts, call logs, and SMS messages, under the pretense of processing loans.
They also employ aggressive tactics, such as demanding additional mobile app permissions and intimidating users with threatening messages or calls, including death threats.
Once the loan is disbursed, users often find themselves trapped in high-interest repayment schemes.
The operators misuse the stolen phone data to harass and blackmail borrowers, often contacting family members to pressure repayment.
According to McAfee Labs, malicious SpyLoan apps and unique infected devices have increased by over 75% from the end of Q2 to the end of Q3 2024.
5 of these apps are still available for download on the official app store, as they have reportedly made adjustments to align with Google Play policies.
To mitigate the risks posed by such apps, it is advisable to read app permissions carefully, read app reviews to see if any issues have been reported, avoid downloading apps from third-party marketplaces, check the legitimacy of the application publisher before downloading them, and install and update security software.
“The threat of Android apps like SpyLoan is a global issue that exploits users’ trust and financial desperation. Despite law enforcement actions to capture multiple groups linked to the operation of SpyLoan apps, new operators and cybercriminals continue to exploit these fraud activities,” Ruiz said.
“SpyLoan apps operate with similar code at app and C2 level across different continents. This suggests the presence of a common developer or a shared framework that is being sold to cybercriminals. This modular approach allows these developers to quickly distribute malicious apps tailored to various markets, exploiting local vulnerabilities while maintaining a consistent model for scamming users.”
Leave a Reply