These malicious Android loan apps could leave millions of users seriously out of pocket

More than a dozen Android apps made it to the Play Store

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from ESET have discovered malicious loan apps stealing victim’s sensitive data and threaten them with ridicule unless they comply with absurd terms.

The researchers named the collection of over a dozen appsSpyLoan, which are being advertised as financial services tools for personal loans, offering “quick and easy access to funds”.

The team warned there have been more than 12 million combined downloads from thePlay Storealready, however, the apps are also being distributed via social media, third-party stores, and various websites, meaning the number of downloads is likely to be much higher.

Tricking Google

After the users sign up, the first red flag is the permissions - the app requests many permissions that it objectively doesn’t need, like access to the camera, call logs, or contacts list. If the user still proceeds and signs up for a loan, the app will soon reduce the tenure to mere days and threaten the victim with ridicule if they don’t comply. Given that the app has access to the contacts list, it would start notifying people in that list of the loan.

Furthermore, the app silently gathers plenty of sensitive data from the compromised endpoint - a list of all accounts, device info, call logs, installed apps, calendar events, local Wi-Fi network details, and metadata from images. ESET says that the app can also grab location data and text messages.

SpyLoan apps are not exactly a novelty, the researchers claim, but they did pick up the pace in 2023. The majority of victims are located in Mexico, India, Thailand, Indonesia, Nigeria, Philippines, Egypt, Vietnam, Singapore, Kenya, Colombia, and Peru.

ESET also said that these apps made it pastGoogle’s protections by being submitted with “compliant privacy policies, required KYC standards, and transparent permission requests.” However, they also link to websites that are obviousimpersonationsof actual companies.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Out of the 18 apps that were discovered, Google removed 17 from its app repository. The last one is now available with a new set of permissions and as such was allowed to stay.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Watch out, Nvidia - new benchmarks suggest Apple M4 Ultra could beat the mighty RTX 4090