8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Over a dozen malicious Android apps identified on the Google Play Store that have been collectively downloaded over 8 million times contain malware known as SpyLoan, according to new findings from McAfee Labs.

"These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which can lead to extortion, harassment, and financial loss," security researcher Fernando Ruiz said in an analysis published last week.

The newly discovered apps purport to offer quick loans with minimal requirements to attract unsuspecting users in Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru, and Chile.

The 15 predatory loan apps are listed below. Five of these apps that are still available for download from the official app store are said to have made changes to comply with Google Play policies.

• Préstamo Seguro-Rápido, seguro (com.prestamoseguro.ss )
• Préstamo Rápido-Credit Easy (com.voscp.rapido)
• ได้บาทง่ายๆ-สินเชื่อด่วน (com.uang.belanja)
• RupiahKilat-Dana cair (com.rupiahkilat.best)
• ยืมอย่างมีความสุข – เงินกู้ (com.gotoloan.cash)
• เงินมีความสุข – สินเชื่อด่วน (com.hm.happy.money)
• KreditKu-Uang Online (com.kreditku.kuindo)
• Dana Kilat-Pinjaman kecil (com.winner.rupiahcl)
• Cash Loan-Vay tiền (com.vay.cashloan.cash)
• RapidFinance (com.restrict.bright.cowboy)
• PrêtPourVous (com.credit.orange.enespeces.mtn.ouest.wave.argent.tresor.payer.pret)
• Huayna Money – Préstamo Rápido (com.huaynamoney.prestamos.creditos.peru.loan.credit)
• IPréstamos: Rápido Crédito (com.credito.iprestamos.dinero.en.linea.chile)
• ConseguirSol-Dinero Rápido (com.conseguir.sol.pe)
• ÉcoPrêt Prêt En Ligne (com.pret.loan.ligne.personnel)

Some of these apps have been promoted through posts on social media platforms like Facebook, indicating the various methods threat actors are using to trick predictive victims into installing them.

SpyLoan is a repeat offender that dates back to 2020, with a report from ESET in December 2023 uncovering another set of 18 apps that sought to defraud users by offering them high-interest-rate loans, while stealthily also collecting their personal and financial information.

The end goal of the financial scheme is to collect as much information as possible from infected devices, which could then be used to extort users by coercing them into paying the loans back at higher interest rates, and in some cases, for delayed payments or intimidating them with stolen personal photos.

"Ultimately, rather than providing genuine financial assistance, these apps can lead users into a cycle of debt and privacy violations," Ruiz said.

Despite differences in the targeting, the apps have been found to share a common framework to encrypt and exfiltrate data from a victim's device to a command-and-control (C2) server. They also follow a similar user experience and onboarding process to apply for the loan.

Furthermore, the apps request for a number of intrusive permissions that allow them to harvest system information, camera, call logs, contact lists, coarse location, and SMS messages. The data collection is justified by claiming it's required as part of user identification and anti-fraud measures.

Users who register for the service are validated via a one-time password (OTP) to ensure they have a phone number from the target region. They are also urged to provide supplementary identification documents, bank accounts, and employee information, all of which are subsequently exfiltrated to the C2 server in encrypted format using AES-128.

To mitigate the risks posed by such apps, it's essential to review app permissions, scrutinize app reviews, and confirm the legitimacy of the app developer before downloading them.

"The threat of Android apps like SpyLoan is a global issue that exploits users' trust and financial desperation," Ruiz said. "Despite law enforcement actions to capture multiple groups linked to the operation of SpyLoan apps, new operators and cybercriminals continue to exploit these fraud activities."

"SpyLoan apps operate with similar code at app and C2 level across different continents. This suggests the presence of a common developer or a shared framework that is being sold to cybercriminals. This modular approach allows these developers to quickly distribute malicious apps tailored to various markets, exploiting local vulnerabilities while maintaining a consistent model for scamming users."