Since the beginning of 2023, ESET researchers have observed an alarming growth of deceptive Android loan apps, which present themselves as legitimate personal loan services, promising quick and easy access to funds.
Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims’ personal and financial information to blackmail them, and in the end gain their funds. ESET products therefore recognize these apps using the detection name SpyLoan, which directly refers to their spyware functionality combined with loan claims.
Key points of the blogpost:
Apps analyzed by ESET researchers request various sensitive information from their users and exfiltrate it to the attackers’ servers.
This data is then used to harass and blackmail users of these apps and, according to user reviews, even if a loan was not provided.
ESET telemetry shows a discernible growth in these apps across unofficial third-party app stores, Google Play, and websites since the beginning of 2023.
Malicious loan apps focus on potential borrowers based in Southeast Asia, Africa, and Latin America.
All of these services operate only via mobile apps, since the attackers can’t access all sensitive user data that is stored on the victim’s smartphone through browsers.
Figure 1. SpyLoan detection trend, seven-day moving average
ESET is a member of the App Defense Alliance and an active partner in the malware mitigation program, which aims to quickly find Potentially Harmful Applications (PHAs) and stop them before they ever make it onto Google Play.
All of the SpyLoan apps that are described in this blogpost and mentioned in the IoCs section are marketed through social media and SMS messages, and available to download from dedicated scam websites and third-party app stores. All of these apps were also available on Google Play. As a Google App Defense Alliance partner, ESET identified 18 SpyLoan apps and reported them to Google, who subsequently removed 17 of these apps from their platform. Before their removal, these apps had a total of more than 12 million downloads from Google Play. The last app identified by ESET is still available on Google Play – however, since its developers changed its permissions and functionality, we no longer detect it as a SpyLoan app.
It is important to note that every instance of a particular SpyLoan app, regardless of its source, behaves identically due to its identical underlying code. Simply put, if users download a specific app, they’re going to experience the same functions and face the same risks, regardless of where they got the app. It doesn’t matter if the download came from a suspicious website, a third-party app store, or even Google Play – the app’s behavior will be the same in all cases.
None of these services provide an option to request a loan using a website, since through a browser the extortionists can’t access all sensitive user data that is stored on a smartphone and is needed for blackmailing.
In this blogpost, we describe the mechanism of SpyLoan apps and the various deceptive techniques they use to bypass Google Play policies and mislead and defraud users. We also share steps victims can take if they have fallen for this scam and several recommendations about how to distinguish between malicious and legitimate loan apps so that potential borrowers can protect themselves.
According to ESET telemetry, the enforcers of these apps operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore (see map in Figure 2). All these countries have various laws that govern private loans – not only their rates but also their communication transparency; however, we don’t know how successfully they are enforced. We believe that any detections outside of these countries are related to smartphones that have, for various reasons, access to a phone number registered in one of these countries.
At the time of writing, we haven’t seen an active campaign targeting European countries, the USA, or Canada.
Figure 2. Heatmap of SpyLoan detections seen in ESET telemetry between January 1st and November 30th, 2023
ESET Research has traced the origins of the SpyLoan scheme back to 2020. At that time, such apps presented only isolated cases that didn’t catch the attention of researchers; however, the presence of malicious loan apps kept growing and ultimately, we started to spot them on Google Play, the Apple App Store, and on dedicated scam websites. Screenshots of one such example are shown in Figure 3 and Figure 4. This multiplatform approach maximized their reach and increased the chances of user engagement, although these apps were later taken down from both official app stores.
Figure 3. Apps that were available on official stores for iOS (left) and Android (right) in 2020Figure 4. Dedicated scam website
At the beginning of 2022, ESET reached out to Google Play to notify the platform about more than 20 malicious loan apps that had over 9 million collective downloads. After our intervention, the company deleted these apps from its platform. Security company Lookout identified 251 Android apps on Google Play and 35 iOS apps on the Apple App Store that exhibited predatory behavior. According to Lookout, they had been in contact with Google and Apple regarding the identified apps and in November 2022 published a blogpost about these apps. Google already identified and took down the majority of the malicious loan apps ahead of Lookout’s research publication, with two of the identified apps being removed from Google Play by the developer. Collectively these apps across Google Play had over 15 million downloads; Apple also took down the identified apps.
According to ESET telemetry, SpyLoan detections started to rise again in January 2023 and have continued to grow since then even more across unofficial third-party app stores, Google Play, and websites; we outlined this growth in the ESET Threat Report H1 2023.
In their 2022 security summary, Google described how the company kept Android and Google Play users safe by rolling out new requirements for personal loan apps in several regions. As documented, over the past three years, the situation has evolved and Google Play has made several changes to its personal loan app policies – with country-specific requirements in India, Indonesia, Philippines, Nigeria, Kenya, Pakistan, and Thailand – and has unpublished many malicious loan apps.
To lure victims, the perpetrators actively promote these malicious apps with SMS messages and on popular social media channels such as Twitter, Facebook, and YouTube. By leveraging this immense user base, the scammers aim to attract unsuspecting victims who are in need of financial assistance.
Although this scheme is not utilized in every SpyLoan app we analyzed, another alarming aspect of some SpyLoan apps is the impersonation of reputable loan providers and financial services by misusing the names and branding of legitimate entities. To help raise awareness among potential victims, some legitimate financial services even have warned about SpyLoan apps on social media, as can be seen in Figure 5.
Figure 5. RapiCredit warned potential borrowers about a malicious loan app
Once a user installs a SpyLoan app, they are prompted to accept the terms of service and grant extensive permissions to access sensitive data stored on the device. Subsequently, the app requests user registration, typically accomplished through SMS one-time password verification to validate the victim’s phone number.
These registration forms automatically select the country code based on the country code from the victim’s phone number, ensuring that only individuals with phone numbers registered in the targeted country can create an account, as seen in Figure 6.
Figure 6. Phone number registration with preselected country codes
After successful phone number verification, users gain access to the loan application feature within the app. To complete the loan application process, users are compelled to provide extensive personal information, including address details, contact information, proof of income, banking account information, and even to upload photos of the front and back sides of their identification cards, and a selfie, as depicted in Figure 7.
Figure 7. Apps request sensitive data from the user
SpyLoan apps pose a significant threat by stealthily extracting a wide range of personal information from unsuspecting users – these apps are capable of sending sensitive data to their command and control (C&C) servers. The data that is usually exfiltrated includes the list of accounts, call logs, calendar events, device information, lists of installed apps, local Wi-Fi network information, and even information about files on the device (such as Exif metadata from images without actually sending the photographs themselves). Additionally, contact lists, location data, and SMS messages are also vulnerable. To protect their activities, the perpetrators encrypt all the stolen data before transmitting it to the C&C server.
As SpyLoan apps evolved, their malicious code became more sophisticated. In earlier versions, the malware’s harmful functionality wasn’t hidden or protected; however, later versions incorporated some more advanced techniques like code obfuscation, encrypted strings, and encrypted C&C communication to hide their malicious activities. For a more detailed understanding of these improvements, refer to Figure 8 and Figure 9.
Figure 8. Code responsible for data exfiltration in an earlier SpyLoan versionFigure 9. Slightly obfuscated code responsible for data exfiltration in a recent SpyLoan version
On May 31st, 2023, additional policies started to apply to loan apps on Google Play, stating that such apps are prohibited from asking for permission to access sensitive data such as images, videos, contacts, phone numbers, location, and external storage data. It appears this updated policy didn’t have an immediate effect on existing apps, as most of the ones we reported were still available on the platform (including their broad permissions) after the policy started to apply, as depicted in Figure 10. However, as we mentioned, Google later unpublished these apps.
Figure 10. Example of the broad permissions SpyLoan apps request from their users
After such an app is installed and personal data is collected, the app’s enforcers start to harass and blackmail their victims into making payments, even if – according to the reviews – the user didn’t apply for a loan or applied but the loan wasn’t approved. Such practices have been described in the reviews of these apps on Facebook and on Google Play, as shown in Figure 11 (even mentioning death threats), Figure 12 (partial machine translation: Is the debt you have worth your peace of mind and that of your loved ones? … Do you really want to put your safety at risk? … Are you willing to pay the consequences? You can get into a lot of problems, avoid a bad experience for yourself and those around you.), and Figure 13.
Figure 11. Reviewers of these apps claim to have been harassed and threatened, some of them even if they didn’t receive a loanFigure 12. A threatening message a victim received and then posted on FacebookFigure 13. These reviewers claim they either didn’t apply for a loan and are still being blackmailed and threatened, or didn’t get a loan but the app is requesting repayment
Besides the data harvesting and blackmailing, these services present a form of modern-day digital usury, which refers to the charging of excessive interest rates on loans, taking advantage of vulnerable individuals with urgent financial needs, or borrowers who have limited access to mainstream financial institutions. One user gave a negative review (shown in Figure 14) to a SpyLoan app not because it was harassing him, but because it had already been four days since he applied for a loan, but nothing had happened and he needed money for medication.
Figure 14. Review claiming delay in approval of his loan application
Usury is generally seen as so unethical that it is condemned in various religious texts and is regulated by laws to protect borrowers from such predatory practices. It is, however, important to note that a standard loan agreement is not considered usury if the interest is set at a reasonable rate and follows legal guidelines.
Reasons behind the rapid growth
There are several reasons behind the rapid growth of SpyLoan apps. One is that the developers of these apps take inspiration from successful FinTech (financial technology) services, which leverage technology to provide streamlined and user-friendly financial services. FinTech apps and platforms are known to disrupt the traditional financial industry by offering convenience in terms of accessibility, allowing people, in a user-friendly way, to perform various financial activities anytime, anywhere, using only their smartphones. In contrast, the only thing SpyLoan apps disrupt is the trust in technology, financial institutions, and similar entities.
Another reason for their growth was noted in Zimperium’s analysis of how malicious actors took advantage of the Flutter framework and used it to develop malicious loan apps. Flutter is an open-source software development kit (SDK) designed for building cross-platform applications that can run on various platforms such as Android, iOS, web, and Windows. Since its launch in December 2018, Flutter has played a significant role in facilitating the development of new mobile applications and driving their introduction into the market.
While only app developers can confirm with certainty whether they used Flutter to program their apps or parts of them, out of the 17 apps we reported to Google, three of them contain Flutter-specific libraries or .dart extensions, which refer to Flutter’s Dart programming language. This indicates that at least some of the attackers are using benign third-party tools to facilitate the development of their malicious apps.
Deceptive communication techniques
Malicious loan apps often use wording and design elements that closely resemble legitimate loan apps. This intentional similarity makes it difficult for typical users to determine the authenticity of an app, especially when financial and legal terms are involved. The deceptive communications deployed by these apps are divided into several layers.
Official Google Play description
To be able to put their foot in the door of Google Play and be published on the platform, all of the SpyLoan apps we analyzed provided a description that mostly appears to be in line not only with Google Play requirements but also seems to cover local legal demands; some apps even claimed to be registered non-banking financial companies. However, the on-the-ground transactions and business practices – as evidenced by user reviews and other reports – carried out by the developers of these apps didn’t meet the standards explicitly stated by them.
In general, SpyLoan apps openly state what permissions are requested, claim to have the right license, and provide the range of the annual percentage rate (that is always within the legal limit set by local usury laws or similar legislation). The annual percentage rate (APR) describes and includes the interest rate and certain fees, or charges associated with the loan, such as origination fees, processing fees, or other finance charges. In many countries, it is legally capped and for instance, in the case of personal loan providers in the US, Google capped the APR at 36%.
The total annual cost (TAC; or CAT – costo annual total – in Spanish) goes beyond the APR and includes not only the interest rate and fees but also other costs, such as insurance premiums or additional expenses related to the loan. The TAC, therefore, provides borrowers with a more accurate estimate of the total financial commitment required by the loan, including all associated costs. As some Latin American countries require loan providers to disclose the TAC, SpyLoan apps marketed in this region revealed the true high cost of their loans with TACs between 160% and 340%, shown in Figure 15.
Figure 15. Apps claimed the shortest loan tenure is 91 days
App descriptions also included the tenure for personal loans, which is set by the loan provider and according to Google’s Financial Services policy cannot be set to 60 days or less. Loan tenure represents the period within which the borrower is expected to repay the borrowed funds and all associated costs to the lender. The apps we analyzed had tenure set between 91 and 360 days (see Figure 15); however, customers providing feedback on Google Play (see Figure 16) complained that the tenure was significantly shorter and interest was high. If we look at the third example in the feedback in Figure 16, the interest (549 pesos) was higher than the actual loan (450 pesos), and the loan together with the interest (999 pesos) must have been repaid in 5 days, therefore violating Google’s loan tenure policies.
Figure 16. Borrowers complained that their loan tenures are set to only seven or five days
In stark contrast to KYC norms, the SpyLoan apps we identified used deceptive tactics in their privacy policies. They claimed to need permission to access media files “to conduct a risk assessment”, storage permission “to help submit documents”, access SMS data they claimed is related only to financial transactions “to properly identify you”, access calendar “in order to schedule the respective payment date and the respective reminders”, camera permission “to help users upload required photo data”, and call log permissions “to confirm our app is installed on your own phone”. In reality, according to KYC standards, identity verification and risk assessment could be done using much less intrusive data collection methods. As we previously mentioned, according to privacy policies of these apps, if those permissions are not granted to the app, the service, and therefore the loan, will not be provided. The truth is these apps don’t need all of these permissions, as all of this data can be uploaded into the app with one-time permission that has access only to selected pictures and documents, not to all of them, a calendar request can be sent to the loan recipient by email, and the permission to access call logs is completely unnecessary.
Some privacy policies were worded in an extremely contradictory way. On one hand, they listed deceitful reasons for collecting personal data, while on the other hand, they claimed no sensitive personal data is collected, as depicted in Figure 17. This goes against KYC standards, which require honest and transparent communication about data collection and usage, including the specific types of data mentioned earlier.
Figure 17. Contradictory claims in one of the privacy policies
We believe the real purpose of these permissions is to spy on the users of these apps and harass and blackmail them and their contacts.
Some of these apps had official websites that helped to create the illusion of an established, customer-focused personal loan provider, contained a link to Google Play, and other mostly generic and simple information that was similar to the description the developer provided on Google Play, before the app was taken down. They usually didn’t reveal the name of the business that was behind the app. However, one of the several websites we analyzed went further and contained details about open job positions, images of a comfortable office environment, and pictures of the Board of Directors – all of which were stolen from other websites.
Open job positions were copied from other companies and edited only in minor ways. In the one copied from Instahyre, a hiring platform based in India, and shown in Figure 18, only the line “Good knowledge about Ameyo” was moved to a different position in the text.
Figure 18. Comparison of a job position at one of the malicious loan providers (left) and a position posted on Instahyre (right)
Three images of the office environment depicted in Figure 19 were copied from two companies – office and playing field photos are from PaywithRing, an Indian payment app with millions of customers, and the team photo is from The Better India, an Indian digital media platform.
Figure 19. Office environment photos stolen from other company websites
The Board of Directors members correspond to the names that were related to the company that claims to be behind this particular app, but the pictures that were used on the website (shown in Figure 20) depicted three different stock photo models, and the website didn’t state that these images were for illustrative purposes only.
Figure 20. Pictures showcasing the Board of Directors were verifiably stock photos, with the first being from Freepik, the second from several other websites, and the third available for purchase from Getty Images
While it is easy to do a reverse image search on Google to look for the source of these pictures in a desktop browser, it is important to note that this is much more difficult to do on a phone. As we previously noted, providers of these apps focus only on potential borrowers who want to use a mobile phone to obtain a loan.
Legitimate vs malicious loan apps – how to distinguish between them
As mentioned in the Deceptive communication techniques section, even if the app or the company behind it says it is an approved loan provider, this does not automatically guarantee its legitimacy or ethical practices – it can still trick potential customers by using deceptive tactics and misleading information about the loan terms. As mentioned by Lookout, applying for a loan from established institutions might seem to be the best advice for potential borrowers, but SpyLoan apps make it really difficult to distinguish them from standard financial organizations and some borrowers don’t have access to traditional financial entities. It is therefore essential to approach loan apps with caution and take additional steps to ensure their credibility, as their installation might have a very negative impact on the financial situation of the borrower.
Sticking to official sources and using a security app should be sufficient to detect a malicious loan app; however, there are additional steps users can employ to safeguard themselves:
Stick to official sourcesAndroid users should avoid the installation of loan apps from unofficial sources and third-party app stores, and stick to trusted platforms like Google Play, which implement app review processes and security measures. While this doesn’t guarantee complete protection, it reduces the risk of encountering scam loan apps.
Use a security appA reliable Android security app protects its user from malicious loan apps and malware. Security apps provide an additional layer of protection by scanning and identifying potentially harmful apps, detecting malware, and warning users about suspicious activities. Malicious loan apps mentioned in this blogpost are detected by ESET products as Android/SpyLoan, Android/Spy.KreditSpy, or a variant of Android/Spy.Agent.
Review scrutinyWhen downloading apps from Google Play, it is important to pay close attention to user reviews (these might not be available on unofficial stores). It is crucial to be aware that positive reviews can be faked or even extorted from previous victims to increase the credibility of scam apps. Instead, borrowers should focus on negative reviews and carefully evaluate the concerns raised by users as they may reveal important information such as extortion tactics and the actual cost being charged by the loan provider.
If prevention doesn’t workThere are several avenues where individuals can seek help and take action if they fall victim to digital loan sharks. Victims should report the incident to their country’s law enforcement or relevant legal authorities, contact consumer protection agencies, and alert the institution that governs the terms of private loans; in most countries, it is the national bank or its equivalent. The more alerts these institutions receive, the likelier it is they will take action. If the deceitful loan app was obtained through Google Play, individuals can seek assistance from Google Play Support where they can report the app and request the removal of their personal data associated with it. However, it is important to note that the data might have already been extracted to the attacker’s C&C server.
Even after several takedowns, SpyLoan apps keep finding their way to Google Play, and serve as an important reminder of the risks borrowers face when seeking financial services online. These malicious applications exploit the trust users place in legitimate loan providers, using sophisticated techniques to deceive and steal a very wide range of personal information.
It is crucial for individuals to exercise caution, validate the authenticity of any financial app or service, and rely on trusted sources. By staying informed and vigilant, users can better protect themselves from falling victim to such deceptive schemes.
For any inquiries about our research published on WeLiveSecurity, please contact us at firstname.lastname@example.org.ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
Alibaba (US) Technology Co., Ltd.
Alibaba (US) Technology Co., Ltd.
Alibaba (US) Technology Co., Ltd.
Alibaba (US) Technology Co., Ltd.
Alibaba (US) Technology Co., Ltd.
Alibaba (US) Technology Co., Ltd.
MITRE ATT&CK techniques
This table was built using version 13 of the MITRE ATT&CK framework.
SpyLoan can obtain a list of installed applications.
File and Directory Discovery
SpyLoan lists available photos on external storage and extracts Exif information.
System Network Configuration Discovery
SpyLoan extracts the IMEI, IMSI, IP address, phone number, and country.
System Information Discovery
SpyLoan extracts information about the device, including SIM serial number, device ID, and common system information.
SpyLoan tracks device location.
Protected User Data: Calendar Entries
SpyLoan extracts calendar events.
Protected User Data: Call Logs
SpyLoan extracts call logs.
Protected User Data: Contact List
SpyLoan extracts the contact list.
Protected User Data: SMS Messages
SpyLoan extracts SMS messages.
Command and Control
Application Layer Protocol: Web Protocols
SpyLoan uses HTTPS to communicate with its C&C server.
Encrypted Channel: Symmetric Cryptography
SpyLoan uses AES to encrypt its communication.
Exfiltration Over C2 Channel
SpyLoan exfiltrates data using HTTPS.