Malicious loan apps, collectively known as SpyLoan apps, have rapidly spread and amassed over 12 million downloads from Google Play since 2020.
ESET Research uncovered 18 such apps, disguised as legitimate loan services offering quick, high-interest loans, which is already an unethical practice that preys on financially desperate individuals. However, these apps also stealthily harvested sensitive user data that the bad actors behind these apps would then use for blackmail.
The personal information that the apps extensively extracted for blackmail and harassment includes account lists, call logs, calendar events, device details, contact lists, location data, and text messages. To apply for loans, users were also required to provide additional data such as addresses, income proof, bank details, and ID card photos. After examining user reviews, ESET Research noted that even users who did not secure a loan or merely downloaded the app were pressured into making payments.
- How Android malware slips inside the Google Play Store
- How to get rid of malware from your Android smartphone
As a partner in Google’s malware mitigation program, ESET Research promptly reported these apps. This led to the removal of all but one from Play. The remaining app underwent significant changes and no longer has SpyLoan characteristics. Google also revised its policy on personal loan apps earlier this year to tighten control over their access to users’ sensitive information.
To avoid malicious loan apps, ESET Research recommends sticking to official sources like Google Play and using a reliable security app. Users also must scrutinize user reviews, examine the privacy policy of apps they download, and thoroughly review data access requests.