Over 12 million downloads of malicious loan applications, collectively labelled SpyLoan, have occurred this year on Google Play. The actual count is likely higher, as these apps are also accessible on third-party stores and dubious websites.
The SpyLoan Android threats compromise personal data on the device, encompassing account details, device information, call logs, installed applications, calendar events, local Wi-Fi network specifics, and metadata from images. Researchers emphasise that the potential risk extends to the user's contact list, location data, and text messages.
Disguised as authentic financial services offering convenient access to personal loans, these entities deceive users by imposing exorbitant interest rates. Subsequently, the threat actor resorts to blackmailing victims into making payments.
Since the beginning of the year, a cybersecurity firm, part of the App Defence Alliance committed to identifying and eliminating malware from Google Play, has uncovered 18 SpyLoan apps.
In response to the reported findings, Google acted by removing 17 of the malicious apps. However, one of them has reappeared with altered permissions and functionality, managing to evade detection as a SpyLoan threat.
SpyLoan Increase
SpyLoan apps were first discovered in 2020, but they’ve been making bigger waves in the past year or so on both Android and iOS systems. It’s believed that their current distribution channels have included fake websites, software on third-party app stores and the Google Play store.
To gain access to Google Play, these applications are submitted with privacy policies that comply, adhere to the necessary know your customer (KYC) standards, and make clear and transparent permission requests.
In numerous instances, the deceptive apps connect to websites that mimic legitimate company sites, going to the extent of displaying employee and office photos to fabricate a misleading sense of authenticity.
Risks on the rise
SpyLoan applications breach Google's Financial Services policy by arbitrarily reducing the duration of personal loans to a few days or any other random period. Users are then subjected to threats of ridicule and exposure if they refuse to comply.
The information presented in the privacy policies is misleading, offering ostensibly valid justifications for acquiring potentially hazardous permissions.
For instance, the camera permission is purportedly requested for facilitating photo data uploads for Know Your Customer (KYC) purposes, and access to the user's calendar is claimed to be necessary for scheduling payment dates and reminders. However, these practices are excessively invasive.
SpyLoan apps seek permissions that are unnecessary, such as access to call logs and contact lists. These permissions are exploited to coerce users when they resist unreasonable payment demands.
To safeguard against the SpyLoan risk, rely solely on reputable financial institutions, meticulously examine the permissions requested when installing a new app, and peruse user reviews on Google Play. These reviews frequently provide insights into the deceptive nature of the application.
