According to new findings from McAfee Labs, more than a dozen Android malware discovered in the Google Play Store, which have been downloaded more than 8 million times, contain malware known as SpyLoan.
“These PUP (Potentially Unwanted Programs) apps use social engineering tactics to get users to provide sensitive information and grant additional permissions to mobile apps, which can lead to extortion, harassment, and financial loss,” security researcher Fernando Ruiz said in an analysis published last week.
The newly discovered apps aim to offer quick loans with minimal requirements to attract unsuspecting users in Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru and Chile.
15 predatory loan programs are listed below. Five of these apps, which are still available for download from the official app store, are said to have been modified in line with Google Play’s policy.
- Seguro-Fast, secure loan (com.prestamoseguro.ss)
- Quick loan – Easy loan (com.voscp.rapido)
- Get baht easy – fast credit (com.uang.belanja)
- RupiahKilat-Liquids (com.rupiahkilat.best)
- Borrow with pleasure – Loans (com.gotoloan.cash)
- Happy Money – quick loan (com.hm.happy.money)
- KreditKu-Money Online (com.kreditku.kuindo)
- Dana Kilat-Small Loans (com.winner.rupiahcl)
- Cash loan (com.vay.cashloan.cash)
- RapidFinance (com.restrict.bright.cowboy)
- ReadyForYou (com.credit.orange.enespeces.mtn.ouest.wave.argent.tresor.payer.pret)
- Huayna Money – Quick loan (com.huaynamoney.prestamos.creditos.peru.loan.credit)
- IPréstamos: Rápido Crédito (com.credito.iprestamos.dinero.en.linea.chile)
- Get Sol-Dinero Rápido (com.consegura.sol.pe)
- EcoPrêt online loan (com.pret.loan.ligne.personnel)
Some of these apps have been advertised in posts on social media platforms such as Facebook, indicating the various methods used by threat actors to trick them into installing victims.
SpyLoan is a repeat offender dating back to 2020, and an ESET report in December 2023 found another set of 18 programs that tried to deceive users offering them loans at high interest rates while stealthily collecting their personal and financial information.
The ultimate goal of the financial scheme is to collect as much information as possible from the infected devices, which can then be used to extort users, forcing them to pay back the loans at higher interest rates, and in some cases, to delay payments or intimidate them with the stolen money. personal photos.
“Ultimately, instead of providing real financial help, these apps can lead users into a cycle of debt and privacy violations,” Ruiz said.
Despite the differences in targeting, the apps were found to use a common framework to encrypt and output data from the victim’s device to the control server (C2). They also follow a similar user experience and onboarding process to apply for a loan.
Additionally, the apps request a number of intrusive permissions that allow them to collect system information, camera, call logs, contact lists, rough location, and SMS messages. Data collection is justified by the fact that it is necessary to identify users and fight fraud.
Users who sign up for the service are verified with a one-time password (OTP) to ensure they have a phone number from the target region. They are also asked to provide additional proof of identity, bank accounts and employee information, all of which are then filtered to the C2 server in an encrypted format using AES-128.
To reduce the risks associated with such apps, it’s important to check app permissions, carefully review app reviews, and verify the legitimacy of the app developer before downloading them.
“The threat of Android apps like SpyLoan is a global problem that exploits users’ trust and financial desperation,” Ruiz said. “Despite law enforcement actions to seize several groups associated with the operation of SpyLoan applications, new operators and cybercriminals continue to exploit these fraudulent activities.”
“SpyLoan programs operate with similar application-level code and C2 across continents. This suggests that there is a common developer or a common framework that is being marketed to cybercriminals. This modular approach allows these developers to quickly distribute malware tailored to different markets. , exploiting local vulnerabilities while maintaining a consistent pattern to trick users.”
