These malicious Android loan apps could leave millions of users seriously out of pocket
Cybersecurity researchers at ESET have discovered malicious lending apps that steal victims' sensitive data and threaten them with ridicule unless they comply with absurd terms.
The researchers named the collection of over a dozen apps Spy loanwhich are advertised as financial services tools for personal loans, offering “quick and easy access to funds.”
The team warned that there have already been more than 12 million combined downloads from the Play Store, but the apps are also distributed via social media, third-party stores and various websites, meaning the number of downloads is likely to be much higher. .
Trick Google
Once the users log in, the first red flags are the permissions: the app asks for many permissions that it objectively does not need, such as access to the camera, call logs or contact list. If the user does go ahead and sign up for a loan, the app will soon reduce the term to just a few days and threaten the victim with ridicule if he or she doesn't comply. Since the app has access to the contact list, it would notify people on that list about the loan.
Furthermore, the app silently collects a lot of sensitive data from the compromised endpoint: a list of all accounts, device information, call logs, installed apps, calendar events, local Wi-Fi network data, and image metadata. ESET says the app can also collect location data and text messages.
SpyLoan apps aren't exactly a novelty, the researchers argue, but they have picked up the pace in 2023. The majority of victims are in Mexico, India, Thailand, Indonesia, Nigeria, the Philippines, Egypt, Vietnam, Singapore, Kenya, Colombia and Peru.
ESET also said that these apps broke Google's protections by being submitted with “compliant privacy policies, required KYC standards and transparent consent requests.” However, they also link to websites that are clear imitations of real companies.
Of the 18 apps discovered, Google removed 17 from its app repository. The latter is now available with a new set of permissions and was allowed to remain as such.