McAfee uncovered a recent batch of 15 SpyLoan Android malware apps on Google Play, which collectively amassed over 8 million installs and primarily targeted users in South America, Southeast Asia, and Africa.
The discovery was made by McAfee, a member of the ‘App Defense Alliance,’ and the apps have since been removed from Android’s official app store.
Nevertheless, their presence on Google Play highlights the persistence of threat actors, as even recent law enforcement actions against SpyLoan operators have failed to resolve the issue, according to McAfee.
In December 2023, Google Play removed more than a dozen SpyLoan apps that had amassed a total of 12 million downloads in the last significant “SpyLoan cleanup.”
SpyLoan modus operandi
SpyLoan apps are marketed as financial tools that promise fast-track loan approvals under misleading and often false conditions.
After installation, victims are verified through a one-time password (OTP) to confirm they are located in the targeted region. Users are then prompted to provide sensitive identification documents, employment details, and banking information.
The apps exploit their granted permissions to harvest extensive sensitive data from the device, including contact lists, SMS messages, camera access, call logs, and location, and use this data in extortion schemes.
McAfee highlights that these apps’ aggressive data-collection tactics extend to exfiltrating all SMS messages, GPS and network location data, device information, operating system details, and sensor data from the victim’s device.
Code to exfiltrate all SMS
Source: McAfee
After obtaining a loan through the app, operators subject users to exorbitant interest rates and frequent harassment, leveraging stolen phone data for blackmail. In some instances, the scammers extend their harassment to the loanee’s family members, making direct calls to intimidate them as well.
8 million downloads on Google Play
McAfee’s investigation uncovered 15 SpyLoan apps, which collectively received over 8 million downloads from the Play Store. Below are the eight most popular:
- Préstamo Seguro-Rápido, Seguro – 1,000,000 downloads, primarily targeting Mexico
- Préstamo Rápido-Credit Easy – 1,000,000 downloads, primarily targeting Colombia
- ได้บาทง่ายๆ-สินเชื่อด่วน – 1,000,000 downloads, primarily targeting Senegal
- RupiahKilat-Dana cair – 1,000,000 downloads, primarily targeting Senegal
- ยืมอย่างมีความสุข – เงินกู้ – 1,000,000 downloads, primarily targeting Thailand
- เงินมีความสุข – สินเชื่อด่วน – 1,000,000 downloads, primarily targeting Thailand
- KreditKu-Uang Online – 500,000 downloads, primarily targeting Indonesia
- Dana Kilat-Pinjaman kecil – 500,000 downloads, primarily targeting Indonesia
Four SpyLoan apps on Google Play
Source: McAfee
Despite Google’s efforts to enforce Play Store policies and block policy-violating apps, SpyLoan software continues to bypass these safeguards.
To minimize this risk, users should read app reviews, verify the developer’s credibility, restrict permissions during installation, and enable Google Play Protect on their devices.
Source: BleepingComputer, Bill Toulas
