data to servers operated by the attackers, exposing the victim to potential blackmail and extortion. Depending on the regulations around private loans in the targeted country, the attackers might also participate in illegal money lending and loan sharking by offering unreasonably high-interest-rate loans to already financially vulnerable individuals. Once the user submits their personal data, they are informed that the loan application is being reviewed and will receive an update within a short period of time – which is frequently a fraudulent claim to keep the victim engaged and to obtain as much data as possible. The user isn’t notified of the outcome and doesn’t receive the promised loan, as seen in Figure 8. Figure 8. Deceptive promise of loan application review As already mentioned, the collected data is subsequently used to harass users and demand immediate payment of the specified loan, despite not being approved, as evidenced in Figure 9. If the user delays the payment or refuses to comply with the demands, the attacker threatens to release the victim’s personal information and financial details publicly, which can have dire consequences. Figure 9. Threatening message from the attacker The attackers leverage built-in communication channels within the apps to convey these threats, such as built-in chat channels, phones owned by the attackers, or another voice-over-IP service, using the phone numbers provided by the victim during registration. This creates added pressure on the victim to comply with the attacker’s demands and pay the falsely claimed loan. Conclusion The malicious apps described in this blogpost are part of an alarming trend of fraudulent loan services presented through Android apps. These services deceive users by offering high-interest-rate loans and collecting extensive personal and financial information to extort and blackmail vulnerable individuals. The SpyLoan apps have garnered millions of downloads, and while some have been removed from official app stores, many continue to be available for download. While ESET is working to identify and report these apps to Google as part of the App Defense Alliance, it’s important for potential borrowers to remain cautious and discerning when seeking loan services on their mobile devices. By educating users about the deceptive tactics employed by these malicious apps and providing guidance on distinguishing between legitimate and malicious loan apps, we strive to protect users from financial fraud and extortion. Nevertheless, the responsibility also falls on official app stores, like Google Play, to maintain robust and strict app review processes to prevent malicious loan apps from reaching their platforms and potentially defrauding millions of users. As the use of mobile apps for financial transactions and services continues to grow, increased vigilance and collaboration between security researchers, app platforms, and users are vital to combatting the spread of malicious loan apps and protecting vulnerable individuals from extortion and fraud.
Loan sharks exploit Android apps to expand their reach
