Experts reported the discovery of a new set of 15 malicious mobile apps in the Google Play store that contain the SpyLoan Android malware inside. In total, these apps have been downloaded and installed by users more than 8 million times, potentially leading to huge money losses.
8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play
Researchers have found a series of malicious apps on the Google Play Store. Collectively, these programs have been installed over 8 million times. These apps pose as quick-loan services, exploiting users’ need for money under the guise of financial assistance. Instead of what they state, these fake loan apps collect sensitive data and further intimidate victims.
The malware identified in the majority of these samples is SpyLoan. Initially detected in 2020, it has resurfaced with updated tactics, with another noteworthy appearance in 2023. It now targets users in countries such as Mexico, Colombia, Thailand, and Tanzania.
As the name implies, SpyLoan mainly hides under the guise of loan-related apps. Its goal is to сollect sensitive user data, exploit permissions to access phone features and coerce users through intimidation or extortion. The user may get the loan, but will also get phishing phone calls, SMS messages and emails, all with the potential of financial damage and psychological abuse.
How the Malware Operates
SpyLoan malware operates by tricking users into sharing personal and financial information. The apps use social engineering tactics to request extensive permissions, such as access to contacts, call logs, SMS, and device location.
Although these permissions are justified as part of anti-fraud measures, in reality, they enable the malware to harvest data from the device. Once collected, the data is encrypted using AES-128 and sent to a command server. This encryption stage, although employing a pretty weak algorithm, makes it hard to parse the data transfer and recognize it as malicious.
Victims are lured into these apps with promises of fast and easy loans, targeting regions such as Mexico, Colombia, Thailand, and Tanzania. However, instead of providing legitimate financial services, users see high interest rates and huge penalties for payment delays.
Moreover, cybercriminals start threatening victims with time; threats involving their personal data and photos, most likely stolen through the SpyLoan functionality. This malicious cycle traps users in debt while violating their privacy. The malicious apps, targeting regions across South America, Africa, and Southeast Asia, include:
- Préstamo Seguro-Rápido, seguro
- RupiahKilat-Dana cair
- ÉcoPrêt Prêt En Ligne
- ยืมอย่างมีความสุข – เงินกู้
- Huayna Money – Préstamo Rápido
While some apps have been removed or modified to comply with Google Play policies, five of these are still available for download. I expect them to be gone pretty soon, too, but publishing new ones appears to be a rather simple task. Google should pay a lot of attention to its security mechanisms, to say the least. We have several older news articles about the malware in Play Store – consider checking them out.
How to Stay Safe?
The apps rely on a shared framework, suggesting a common developer or toolkit that cybercriminals use globally. By tailoring the user experience to local cultures and regulations, these apps effectively infiltrate diverse markets. However, SpyLoan is not a new threat; its operations date back to 2020, with previous reports revealing similar tactics and outcomes. I’ve written about this before.
To protect against threats like SpyLoan, you should carefully review app permissions, check the legitimacy of developers, and read app reviews. Additionally, users should avoid downloading apps promoted through unverified social media posts.
For advanced protection that will recognize even well-concealed threats, consider using GridinSoft Trojan Scanner. This free anti-malware program for Android provides all the necessary scanning and malware removal capabilities to keep your system safe.
