These malicious Android loan apps could leave millions of users seriously out of pocket

News
By Sead Fadilpašić
published

More than a dozen Android apps made it to the Play Store

Close-up hands counting money American dollars
(Image credit: NATNN / Shutterstock)

Cybersecurity researchers from ESET have discovered malicious loan apps stealing victim’s sensitive data and threaten them with ridicule unless they comply with absurd terms.

The researchers named the collection of over a dozen apps SpyLoan, which are being advertised as financial services tools for personal loans, offering “quick and easy access to funds”.

The team warned there have been more than 12 million combined downloads from the Play Store already, however, the apps are also being distributed via social media, third-party stores, and various websites, meaning the number of downloads is likely to be much higher.

Tricking Google

After the users sign up, the first red flag is the permissions - the app requests many permissions that it objectively doesn’t need, like access to the camera, call logs, or contacts list. If the user still proceeds and signs up for a loan, the app will soon reduce the tenure to mere days and threaten the victim with ridicule if they don’t comply. Given that the app has access to the contacts list, it would start notifying people in that list of the loan.

Furthermore, the app silently gathers plenty of sensitive data from the compromised endpoint - a list of all accounts, device info, call logs, installed apps, calendar events, local Wi-Fi network details, and metadata from images. ESET says that the app can also grab location data and text messages. 

SpyLoan apps are not exactly a novelty, the researchers claim, but they did pick up the pace in 2023. The majority of victims are located in Mexico, India, Thailand, Indonesia, Nigeria, Philippines, Egypt, Vietnam, Singapore, Kenya, Colombia, and Peru.

ESET also said that these apps made it past Google’s protections by being submitted with “compliant privacy policies, required KYC standards, and transparent permission requests.” However, they also link to websites that are obvious impersonations of actual companies.

Out of the 18 apps that were discovered, Google removed 17 from its app repository. The last one is now available with a new set of permissions and as such was allowed to stay.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.