This year, ESET researchers have detected a concerning surge in misleading Android loan applications. These apps masquerade as legitimate personal loan services, assuring users of swift and effortless access to funds. Despite their appealing facade, these services are actually crafted to deceive users by offering loans with exorbitant interest rates, accompanied by misleading descriptions. Simultaneously, these apps collect personal and financial information from users, intending to use it for blackmail. ESET products identify these apps under the name SpyLoan, highlighting their dual functionality as spyware and loan services. These deceptive apps are promoted through social media, SMS messages, and are available for download from dubious websites, third-party app stores, and Google Play.
As a member of the App Defense Alliance (ADA) and an active participant in the malware mitigation program, ESET collaborates to swiftly identify Potentially Harmful Applications, preventing them from entering Google Play. ESET’s involvement led to the identification and removal of 17 SpyLoan apps out of the 18 reported to Google. These apps collectively garnered over 12 million downloads from Google Play before their removal. The remaining app altered its behavior, evading detection as a SpyLoan app by ESET.
Regardless of the source, each instance of a SpyLoan app behaves identically due to its uniform underlying code. Users, irrespective of the app’s origin, face the same functions and risks. ESET telemetry reveals that the enforcers behind these apps, engaging in blackmail and harassment, primarily operate in various countries, including Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore. ESET researchers believe that detections outside these countries may be linked to smartphones with access to a phone number registered in one of these countries. Notably, there are no active campaigns targeting European countries, the USA, or Canada.
In addition to data harvesting and blackmail, these deceptive services represent a form of modern digital usury, exploiting vulnerable individuals by charging exorbitant interest rates. Victims claim the actual Total Annual Cost (TAC) of these loans exceeds the stated amount, and the loan tenure is much shorter than indicated. Some borrowers were pressured to repay loans within five days instead of the stated 91 days, with TAC ranging from 160% to 340%.
ESET researcher Lukáš Štefanko, who uncovered many SpyLoan apps, emphasizes the importance of user caution, urging individuals to verify the authenticity of financial apps and services through trusted sources. ESET Research traces the SpyLoan scheme back to 2020, revealing that once installed, these apps demand extensive permissions and access to sensitive data. The collected data, encrypted before transmission to the Command and Control (C&C) server, includes account lists, call logs, calendar events, device information, installed apps, Wi-Fi network details, file information, contact lists, location data, and SMS messages.
After installation, the app’s enforcers coerce victims into making payments, even if the user didn’t apply for a loan or if the loan application was rejected. This predatory behavior is documented in reviews on Facebook and Google Play. ESET Research believes the permissions requested by SpyLoan apps serve the purpose of spying, harassment, and blackmail.
The rapid growth of SpyLoan apps is attributed to developers drawing inspiration from successful FinTech services, leveraging technology to provide streamlined financial services. For further technical details on SpyLoan apps, refer to the blog post “Beware of predatory fin(tech): Loan sharks use Android apps to reach new depths.” Stay updated with ESET Research on Twitter for the latest developments.
