A recent report from McAfee Labs has revealed that over a dozen malicious Android apps, collectively downloaded more than 8 million times, contain a form of malware known as SpyLoan. These apps, often disguised as loan services, use social engineering techniques to deceive users into providing sensitive information and granting excessive permissions.
This can result in financial loss, harassment, and even extortion. According to Fernando Ruiz, a cybersecurity researcher at McAfee, these apps target users in countries such as Mexico, Colombia, Thailand, Indonesia, and several others, offering seemingly easy loans with minimal requirements.
These 15 fraudulent loan apps promise quick financial assistance with little documentation, which entices unsuspecting users, particularly in developing countries. Some of the apps are still available for download on the Google Play Store, having been modified to comply with certain store policies. These apps share a similar tactic of promoting financial help while secretly collecting personal and financial data from users, including system information, camera access, contact lists, and SMS messages.
The SpyLoan malware first emerged in 2020 and has since been linked to a growing number of malicious apps. A previous report from ESET in December 2023 identified 18 additional apps that sought to exploit users through deceptive loan offers while gathering their personal details. The primary goal of these apps is to accumulate as much data as possible, which can then be used for extortion. Victims are coerced into paying inflated interest rates, and in some cases, are threatened with personal data, such as stolen photos.
The common framework used by these apps includes encrypted communication between the infected devices and a command-and-control (C2) server. This encrypted data transfer ensures that sensitive information, such as bank details and identification documents, is securely exfiltrated from users’ phones. These malicious apps also employ a similar user experience, requiring a one-time password (OTP) for validation and prompting users to submit personal and financial information for verification.
Despite varying methods of operation, the apps typically request a wide range of intrusive permissions, including access to call logs, SMS messages, and location data, which are purportedly necessary for identity verification and fraud prevention. However, these permissions are often used to gather private information to further exploit the victim. Once the user submits their data, it is transmitted to the C2 server and stored in an encrypted format using AES-128.
To protect against such threats, users are advised to carefully review app permissions, check user reviews, and verify the legitimacy of the app developers before downloading any financial or loan-related apps.
Although law enforcement has captured several groups involved in SpyLoan operations, the report highlights that new cybercriminals and operators continue to emerge, exploiting the same framework across different regions. This highlights the global and persistent nature of this financial fraud scheme, which preys on users’ financial vulnerability.
