Pierluigi Paganini February 24, 2025

CYFIRMA researchers discovered that the SpyLend Android malware was downloaded 100,000 times from the official app store Google Play.

CYFIRMA researchers discovered an Android malware, named SpyLend, which was distributed through Google Play as Finance Simplified. The malware targets Indian users with unauthorized loan apps, enabling predatory lending, blackmail, and extortion.

The Finance Simplified app is still available on Google Play at the time of this report’s publication, with downloads doubling to 100,000 in a week. Experts have noted numerous negative reviews, with users reporting blackmail, harassment, and photo manipulation.

The app poses as a financial tool, it lures users with easy loan promises but demands excessive permissions to access contacts, call logs, SMS, photos, and location.

“While marketed as a finance calculator, the app detects the user’s location (India) and displays fake loan applications via WebView instead of providing EMI calculator functionality.” reads the report published by CYFIRMA. “These loan apps are specifically designed to target Indian users.”

The app redirects users to external links for APK downloads, bypassing Google Play security. Once installed, it accesses photos, videos, and contacts, capturing clipboard data to steal sensitive information.

The researchers discovered that the malicious app uses a custom C2 server on Amazon EC2, with an admin panel in English and Chinese, suggesting Chinese-speaking attackers. The malware exploits APIs to access files, contacts, call logs, SMS, and installed apps. Operators behind the threat used stolen data for blackmail and extortion, they were spotted editing victims’ photos into fake nudes to coerce payments.

“The analysis of SpyLend reveals a highly deceptive and dangerous threat targeting Android users. Initially presented as a harmless Finance management application, it downloads a fraud loan app from an external download URL, which once installed, gains extensive permissions to access sensitive data, including files, contacts, call logs, SMS, clipboard content, and even the camera.” concludes the report. “This allows the attackers to extort users by the creation of deepfake photos from the manipulation of files in their photo gallery. The app’s ability to harvest and exploit personal information highlights its severe impact on user privacy and security, demonstrating how malicious actors abuse seemingly legitimate apps to carry out financial fraud and psychological manipulation.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SpyLend Android malware)