Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been downloaded over 12 million times. Despite their attractive appearance, these services are designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them and ultimately gain their funds.
The cybersecurity investigators are tracking these apps under SpyLoan, noting they are designed to target potential borrowers in Southeast Asia, Africa, and Latin America.
The list of apps, which Google has now taken down, is below -
- AA Kredit: इंस्टेंट लोन ऐप (com.aa.kredit.android)
- Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
- Oro Préstamo - Efectivo rápido (com.app.lo.go)
- Cashwow (com.cashwow.cow.eg)
- CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
- ยืมด้วยความมั่นใจ - ยืมด่วน (com.flashloan.wsft)
- PréstamosCrédito - GuayabaCash (com.guayaba.cash.okredito.mx.tala)
- Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mextamo)
- Go Crédito - de confianza (com.mlo.xango)
- Instantáneo Préstamo (com.mmp.optima)
- Cartera grande (com.mxolp.postloan)
- Rápido Crédito (com.okey.prestamo)
- Finupp Lending (com.shuiyiwenhua.gl)
- 4S Cash (com.swefjjghs.weejteop)
- TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
- EasyCash (king.credit.ng)
- สินเชื่อปลอดภัย - สะดวก (com.sc.safe.credit)
Prominent infection pathways are SMS messages and social media channels such as Twitter, Facebook, and YouTube. However, the apps are also available for download from scam websites and third-party app stores. None of these services provide an option to request a loan using a website since, through a browser, the extortionists cannot access all sensitive user data stored on a smartphone that is needed for blackmailing.
The apps are part of a broader scheme that dates back to 2020 and adds to a portion of over 300 apps for Android and iOS that the firms of Kaspersky, Lookout, and Zimperium uncovered in 2022 and which exploited "victims' desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages. Besides harvesting the information from compromised devices, the operators of SpyLoan have also been observed resorting to blackmail and harassment tactics to pressure victims into making payments by threatening to release their photos and videos on social media platforms.
In one message that was posted on the Google Play Help Community in February 2023, a user from Nigeria called out EasyCash for "fraudulently giving loans to their victims with high and exorbitant interest rates and forcefully make them pay using threats about blackmails, defamation, and character assassination when they have the debtor's address and full government name including their bank identification number (BVN), but they still go ahead to embarrass people putting them under unnecessary pressure and panic.
The apps use misleading privacy policies to explain why they need permission to access users' media files, cameras, calendars, contacts, call logs, and SMS messages. Some apps also include links to bogus websites, replete with stolen office environment photos and stock images, to give their operations a veil of legitimacy. To mitigate the risks posed by such spyware threats, it is advised to stick to official sources for downloading apps, validate the authenticity of such offerings, as well as pay close attention to reviews and permissions before installation.
SpyLoan is an essential reminder of the risks borrowers face when seeking online financial services. These malicious applications exploit the trust users place in legitimate loan providers, using sophisticated techniques to deceive and steal a wide range of personal information.
The development also follows the resurgence of an Android banking trojan dubbed TrickMo that masquerades as a free moving streaming app and comes fitted with upgraded capabilities, such as stealing screen content, downloading runtime modules, and overlay injection to extract credentials from targeted applications, in addition to utilizing JsonPacker to conceal its malicious code. The malware's transition to overlay attacks, use of JsonPacker for code obfuscation, and consistent behavior with the command and control server highlight the threat actor's dedication to refining their strategies.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Call for assistance. For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
Comments