Pierluigi Paganini November 30, 2024

McAfee researchers discovered 15 SpyLoan Android apps on Google Play with a combined total of over 8 million installs.

15 SpyLoan apps with a combined total of 8M+ installs were found on Google Play, targeting users in South America, Southeast Asia, and Africa.

SpyLoan apps exploit social engineering to gain sensitive user data and excessive permissions, leading to extortion, harassment, and financial loss.

Some of the malicious apps were promoted through deceptive advertising on social media.  

The researchers reported the apps to Google who notified the developers that their apps violate Google Play policies. Some apps were suspended by Google from Google Play while others were updated by the developers. 

SpyLoan activity has surged, with malicious apps and infected devices increasing over 75% from Q2 to Q3 2024, highlighting their growing mobile threat presence.

“SpyLoan apps are intrusive financial applications that lure users with promises of quick and flexible loans, often featuring low rates and minimal requirements. While these apps may seem to offer genuine value, the reality is that these apps primarily exist to collect as much personal information as possible, which they then may exploit to harass and extort users into paying predatory interest rates.” reads the report published McAfee. “They employ questionable tactics, such as deceptive marketing that highlights time-limited offers and countdowns, creating a false sense of urgency to pressure users into making hasty decisions. Ultimately, rather than providing genuine financial assistance, these apps can lead users into a cycle of debt and privacy violations. “

SpyLoan apps exploit official app stores like Google Play, deceptive branding, and social media ads to appear credible. They mimic financial institutions, display privacy policies, and use tactics like countdown timers and OTP verification to pressure users into providing sensitive data.

Upon installation, the apps request unnecessary permissions for a loan app, including access to contacts, SMS, storage, calendar, phone call records, and the microphone or camera.

Victims of SpyLoan apps face threats, personal data misuse, and harassment, including intimidating calls, misuse of photos/IDs, and contact spamming to friends and family.

Authorities in Peru raided a call center tied to SpyLoan apps that extorted 7,000+ victims in Peru, Mexico, and Chile. Similar scams were reported globally.

“The threat of Android apps like SpyLoan is a global issue that exploits users’ trust and financial desperation.” concludes the report. “By reusing code and tactics, they can efficiently target different countries, often evading detection by authorities and creating a widespread problem that is difficult to combat. This networked approach not only increases the scale of the threat but also complicates efforts to trace and shut down these operations, as they can easily adapt and relocate their operations to new regions.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Play)