ESET Exposes Android Scam: SpyLoan Apps Steal Data, Not Money

SpyLoan apps
Dedicated scam website | Image: ESET

Recently, a new menace has surfaced in the Android ecosystem. Dubbed ‘SpyLoan’, these apps, camouflaged as benign loan services, have been unmasked as digital predators. ESET researchers have unveiled the treacherous nature of these apps, which, while promising easy access to funds, are in reality elaborate schemes to defraud users.

At first glance, SpyLoan apps mimic legitimate personal loan services. Their allure lies in their promise of quick and straightforward financial assistance. However, this façade conceals their true intent: to harvest sensitive personal and financial information for blackmail and theft. This exploitation is not confined to a single platform; these apps have been found across various app stores and websites, targeting users in Southeast Asia, Africa, and Latin America.

Heatmap of SpyLoan detections seen in ESET telemetry between January 1st and November 30th, 2023 | Image: ESET

Once a user installs a SpyLoan app, they are coaxed into granting extensive permissions under the guise of terms of service. This process involves a meticulously crafted registration form, which only accepts users with phone numbers from the targeted countries. To complete the loan application, users are required to provide an alarming array of personal data, including banking and income details, alongside identifiable photos.

These apps are engineered to transmit the collected data to their command and control (C&C) servers. This data comprises contact lists, SMS messages, call logs, and more. Over time, the developers have enhanced their malicious code, employing sophisticated methods like code obfuscation and encrypted communications to conceal their nefarious activities.

Post-installation, the SpyLoan apps’ operators engage in ruthless extortion and blackmail, even targeting users who never received a loan. These practices have been reported in user reviews, with some alarming accounts of death threats. This exploitation extends beyond mere data theft; it embodies a digital form of usury, exploiting vulnerable individuals in dire financial straits.

Dedicated scam website | Image: ESET

SpyLoan apps often mimic legitimate loan services in wording and design, making it difficult for users to discern their authenticity. These apps typically assert that they have the necessary permissions and licenses, and even claim to adhere to local legal requirements concerning loan terms and annual percentage rates. However, user reviews and reports reveal a stark contrast between these claims and the actual practices of the app developers.

These apps present privacy policies that, on the surface, comply with Google Play‘s Developer Policy and KYC standards. However, a closer examination reveals contradictory and deceptive clauses. These policies are crafted to appear genuine, yet they are often automatically generated and do not reflect the true intentions of the app developers, which is to spy on users and their contacts for blackmail.

Some SpyLoan apps also maintain official websites that bolster their guise as legitimate loan providers. These websites often lack transparency about the business behind the app and sometimes even feature plagiarized content from other legitimate sources.

Given the sophisticated tactics employed by SpyLoan apps, users need to approach loan apps with caution and verify their credibility. Sticking to official app sources, using security apps, and scrutinizing privacy policies are crucial steps to protect against these deceptive schemes.

The persistence of SpyLoan apps on platforms like Google Play underscores the ongoing risks associated with online financial services. These malicious applications exploit user trust, using sophisticated techniques to pilfer personal information. Individuals must remain cautious and informed, relying on trusted sources to shield themselves from such deceptive ploys.