February 17, 2025
  • The recent menace for Android users are fake loan applications, known as SpyLoans, designed to steal data for blackmailing purposes.
  • An increase in SpyLoan applications was detected by ESET across different platforms as of 2023.
  • Mainly, users from Southeast Asia, Africa, and Latin America are the targets of these fake loan apps.

Android users are unfortunately no strangers to device-related issues. Bearing the brunt of humorous snipes from iPhone users regarding the inferiority of their technological gadgets, they now face a new and significant risk. The troublesome issue of ‘SpyLoan’ apps has emerged in the Android marketplace.

With the year witnessing a considerable rise in fraudulent Android loan applications as reported by ESET investigators, these apps pretend to be trustworthy personal loan services. Enticing users with an offer of quick and easily-acquired funds, however, they trick users into accepting high-interest loans under deceptive conditions, all while collecting Personal and financial information to exploit later for blackmail. ESET has termed these applications ‘SpyLoans’, a reflection of their dual function as a spyware and as loan offers. Various mediums such as social media, scam websites, third-party app stores, and Google Play aid in spreading these apps.

A Glance at the Rising Phenomenon of SpyLoan Apps on Android

ESET’s alertness resulted in the discovery of 18 different SpyLoan applications, leading to a notification sent to Google. Consequently, Google removed 17 of these applications from its platform. These applications had garnered more than 12 million downloads on Android’s official app store, Google Play, before their removal. The remaining application was modified, leading ESET to no longer categorize it as a dangerous SpyLoan application.

Regardless of the source of the download, every SpyLoan application exhibits similar behavior due to its underlying identical code. Consequently, users encounter the same risks and consequences, even if downloaded from an unofficial website, a third-party app store, or Google Play.

Interestingly, the culprits of these fraudulent schemes restrict their operations to mobile applications, completely avoiding web-based services. The reason being, mobile applications provide a more inclusive access to sensitive data that is stored on smartphones, in comparison to web browsers. Such extensive access is a crucial component for blackmailers to successfully execute their schemes.

Geographically, the culprits behind these dangerous apps mainly operate in countries like Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore, utilizing extreme measures such as death threats to blackmail victims. According to ESET researchers, detections from other countries likely stem from smartphones linked to phone numbers registered in these target regions.

These services extend their harm beyond simply data theft and blackmail, entering into the realm of digital usury. Victims report that the total annual cost (TAC) of these loans is significantly higher than projected, and repayment periods are extremely shortened. In some cases, borrowers were forced to repay loans in only five days, as opposed to the advertised 91 days. The TACs ranged from a staggering 160% to 340%.

Vigilance in Financial Scams is Essential

Lukáš Štefanko, an ESET researcher who played a crucial role in unveiling these SpyLoan applications, explains that these malicious applications take advantage of the trust users place in genuine loan providers. They carry out complicated schemes to deceive and extract various personal details from the users.

Emphasizing the critical need for vigilance and verification of financial applications and services, Štefanko advises users to only rely on trustworthy sources. Staying updated and vigilant can avoid falling into the traps of such fraudulent schemes.

ESET Research traced back the inception of the SpyLoan scheme to 2020. Upon installation of the fraudulent loan apps, users are immediately requested to accept the terms of service and are asked to provide extensive permissions allowing access to their sensitive data. The privacy policies of these apps state that non-compliance with granting these permissions results in the failure to process the loan application. Users need to submit a multitude of personal data to proceed with the loan application.

In early 2022, ESET informed Google Play about over 20 harmful loan applications that had collectively scored over 9 million downloads. Post ESET’s intervention, Google removed these applications from its platform. Simultaneously, Lookout, another security firm, discovered 251 Android applications on Google Play and 35 iOS applications on the Apple App Store displaying predatory behavior. Lookout communicated these findings to Google and Apple, leading to the removal of these noted applications from their respective stores.

The beginning of 2023 witnessed a resurgence in the detections of SpyLoan applications, reflected through ESET’s telemetry data. This detection escalated across unofficial third-party app stores, Google Play, and different websites, according to ESET’s Threat Report for the first half of 2023.

To ensure user protection, Google’s 2022 security summary detailed the steps that the company took. These measures introduced new regulations for personal loan apps in several regions. Focusing on India, Indonesia, the Philippines, Nigeria, Kenya, Pakistan, Thailand, Google Play revised its policies on personal loan applications specifically for these countries. As a result, many fake loan applications were removed from the platform.

The perpetrators widely advertise these malicious applications on social media platforms like Twitter, Facebook, and YouTube, and through SMS. By accessing the vast user base of these platforms, the scammers specifically target individuals in urgent need of financial help.

Fraudulent Tactics in SpyLoan Applications

A particularly disturbing aspect of some SpyLoan apps is the impersonation of well-established loan providers, and financial services. Misusing the names and branding of these well-established, legitimate companies allows for trickery of unsuspecting users. In response, multiple genuine financial organizations have alerted potential victims about these deceptive SpyLoan apps via social media platforms.

The user data exposed to the Command and Control (C&C) server typically includes details such as users’ account list, call logs, calendar events, device data, installed apps, nearby Wi-Fi networks, and even information on data files present on the device. Details such as contact list, location data, and SMS messages are also potentially vulnerable.

While it is a standard practice for legitimate financial institutions to collect personal data for identity verification and risk assessment, their data collection methods are far less invasive. As proposed by ESET Research, the primary agenda behind the permissions requested by SpyLoan apps is to spy on, harass, and blackmail not only the users but their contacts as well.

After the application is installed and personal data is collected, users are pressured into making payments, regardless of whether they applied, or were approved, for a loan.

In conclusion, the increased threats from SpyLoan apps on Android platforms underscore the significance of vigilance and thorough scrutiny of loan-related apps, especially for users in the targeted regions. Being informed and cautious can help evade falling victim to these deceptive and harmful schemes.

Muhammad Zulhusni

As a technology writer, Zulhusni concentrates on cloud computing, cybersecurity, and disruptive technology in the enterprise industry. He skillfully moderates webinars and effectively presents content in videos. His professional background is in networking technology.