In context: SpyLoan apps are a recurring nuisance for Android users. Google tries to remove these malicious apps quickly. However, it’s a never-ending fight with cybercriminals constantly returning to the popular mobile ecosystem with new social engineering tricks and security threats to scam users out of money.
The mobile research team at McAfee recently detected a new SpyLoan campaign, with several apps designed to trick people into asking for quick loans. The analysts uncovered fifteen malicious Android SpyLoan apps, with a collective total of eight million downloads. Google has already removed the apps from the Play Store, but the SpyLoan threat will eventually researchers fully expect the malware to return.
SpyLoan PUP (potentially unwanted programs) apps exploit social engineering tactics to try to collect sensitive user data. The apps masquerade as legit financial tools designed to loan users money after going through a rapid approval process. Users get less than the promised loan amount but must still repay the original sum in full, plus steep additional fees.
Google removed the last batch of SpyLoan PUP apps in December 2023, when users downloaded over a dozen malicious apps 12 million times. The newest SpyLoan apps McAfee discovered target users in specific regions of the world, including Latin America, Southeast Asia, and Africa. The apps require validation through a one-time password, a trick the cyber-criminals use to confirm the apps were downloaded in one of the targeted regions.
After the validation process, the apps ask users to provide a wide range of personal and sensitive information, including ID documents, employee information, and banking data. The apps also want to access the user’s contact list, call logs, location, and more. Data exfiltration extends to all text messages, GPS location info, OS details, sensor logs, and other on-device information.
McAfee said the bad actors use this data to harass and blackmail the victims. The criminals can go as far as sending death threats over delayed payments or calling family members to push their extortion attempts further. They will even resort to public shaming, which can significantly impact personal and professional relationships.
The researchers say SpyLoan apps are designed to exploit users’ trust and “financial desperation.” Google should have enough security mechanisms to prevent SpyLoan apps from returning to the Android ecosystem, but the criminals are still doing business just fine. Asking for money through some second-rate smartphone app doesn’t seem like the brightest idea, but as PT Barnum said, “There’s a sucker born every minute,” and that’s precisely what keeps these apps alive.
