June 16, 2024

Throughout much of 2023, Ana Mariela Macías González, a 31-year-old government official hailing from Puebla, Mexico, experienced an influx of menacing communications. The messages, some of which contained edited photos and several instances implying that she was involved in illicit activities, were sent to everyone on her contact list which included friends, family, and professional associates.

The barrage of unwanted communications came as a result of several unethical apps Macías González had downloaded from the Google Play Store—chief among them JoyCrédito. With her initial debt of 1,000 pesos ($60) ballooning to nearly 60,000 pesos ($3,500) over a six-month period, she decided to report the menacing behavior to the proper authorities. Macías González was then directed to dispense with her phone, discard her SIM card, and steel herself against further violations. The resurgence of respectability only came late in 2023 but by then her reputation had already been damaged. Today some acquaintances still taunt her over the terrible information they received.

However, Macías González is far from the only individual to raise objections against maleficent loan apps, otherwise known as montadeudas or debt mounter apps, in Latin America. According to the Citizen Council for Safety and Justice in Mexico City, an organization that monitors consumer activities, 135 instances of fraud and blackmail connected to JoyCrédito have been reported to local law enforcement. Yet surprisingly, despite these claims of unscrupulous dealings, the app can still be downloaded from the Google Play Store.

For a considerable amount of time, apps such as JoyCrédito have been exploiting borrowers from Mexico to India. Through deceptive practices, they distribute small loans with minimal requirements but exorbitant interest rates, then begin the process of extortion when the repayment date arrives. Despite vocal admonishments from veteran groups, Google officially prohibited these apps from the Play Store in October. However, experiences such as those of Macías González spotlight just how numerous the applications remain and illustrates the apparent inefficacy of Google’s enforcement policies.

Upon raising the issue of under-handed loan apps with Google Mexico, Rest of World presented 15 instances of such exploitative apps available in the country which explicitly violate the Google Play Store’s guidelines. As of the publication of this report, all these apps were available for download from the Play store.

Among the 15 highlighted apps, 12 conspicuously requested access to personal data such as camera roll or contacts list as explicitly stated in the Google Play Store’s terms of service. In two other instances, full access was only mentioned in external documents and one other failed to provide any information regarding data access.

Rest of World also flagged 10 exploitative apps in Peru which have been blacklisted by SBS, a national regulatory body that oversees banking, insurance, and private pension, but are still available for download on the Google Play Store.

The targeted apps rely heavily on comprehensive access to sensitive details on a user’s smartphone, including contacts or photos. Often times, threats of disseminating scandalous or defamatory images are made to users’ relatives and acquaintances even before the repayment date of the loan arrives.

In some cases, extortion has occurred simply from downloading and opening the app on their phones, even without completing the application process. Macías González stated to the police that her personal data was transmitted from one app to the others which then started to offer loans instantly. She claimed, “Although I only downloaded six apps, police records revealed that my data was compromised in almost 150 apps.”

Aware of these issues, Google consistently removes these exploitative loan apps. A Google spokesperson in Mexico confirmed that the company liaises closely with Mexico City’s Citizen Safety Bureau to closely scrutinize these apps due to the high volume of complaints against them.

Ricardo Zamora López, head of communications for Google Mexico, expressed the gravity of the scenario and conveyed commitment on behalf of the company to providing a safe platform to billions of Android users. He said, “We will continue our investigations and cooperate with the corresponding Mexican authorities in the ongoing investigations, with whom we’ve already established a protocol.”

In theory, these apps breach Android’s developer guidelines that prohibit loan apps from accessing sensitive data like the camera roll or contact lists. Apps offering short-term loans are also proscribed. However, in practice, even apps that openly advertise high interest short-term loans on their terms of service are accessible on the Google Play Store.

The terms of service of a dubious Colombian app, LuckyPlata, and Buen Dinero, a Peruvian app available on the Play store, both openly state that the app collects contact lists, SMS, and images which could contain sensitive personal data.

Advocacy groups focusing on digital rights have raised questions about whether Google is reviewing apps and their associated terms thoroughly. José Flores, an activist and head of communications at R3D noted that despite having detailed information in their privacy policies about potential misuse, Google appears to consider the requirements fulfilled.

Furthermore, scammers evade these bans by changing their app names or creating duplicate looking apps. An official from Peru’s SBS stated to the Rest of World that “These types of companies keep evolving”, noting that following public complaints, app developers merely alter their application management, thus evading any existing prohibitions.

Mobile loan companies in Peru have been known to change their names to continue exploiting users. One such firm, Alpacash-Préstamos, was eliminated from the Google Play store in 2020, only to make a comeback in 2023 under the guise of Alpacash-préstamo. In a similar instance in Colombia, spyware loan app Unicop was banned by Google before a clone called UnicopPro appeared (identical logo, but with a tiny dollar sign). Meanwhile, Mexican loan app Magicrédito, originating from the Escandón region of Mexico City, was expelled from the Google Play store in 2021. Despite this, it returned using the name Quikrédito, retaining the same registered address. It appears that 18 individuals filed formal police complaints against Magicrédito according to Mexico City’s Citizen Council for Safety and Justice, resulting in its second removal from the Google Play store.

Epidemic Proportions

The issue is believed to have impacted tens of thousands of Latin Americans. Last year, over 8,000 individuals in Colombia lodged grievances against these predatory loan apps to the national IT crime bureau. Similarly, over 400 complaints were registered in Peru. Between 2021 and 2023, Mexico saw upwards of 18,000 complaints based on information from Mexico City’s Citizen Council for Safety and Justice.

An Underreported Issue

Reports to the authorities might indicate only a fraction of the actual issue. Research by cybersecurity company ESET in May revealed an alarming 88% increase in incidents involving spyware loan apps in the first half of 2023.

Government Actions

As the problem intensifies, law enforcement in Colombia and Mexico has attempted to squash it through targeted operations. Mexico City’s police force, for example, executed a raid against offices of firms associated with over 90 extortion apps in August 2022, leading to the arrest of 27 individuals allegedly making extortion calls. A similar operation was conducted in Colombia in November 2023, resulting in the detention of nine individuals linked to a larger criminal operation.