18 Malicious Loan Apps Scamming Millions of Android Users

December 11, 2023NewsroomData Security / Mobile Security

Harmful Loan Apps

Cybersecurity researchers have discovered 18 malicious loan apps for Android in the Google Play Store that have been collectively downloaded more than 12 million times.

“Despite their attractive appearance, these services are actually designed to deceive users by offering them high-interest loans endorsed by deceptive descriptions, while collecting personal and financial information of their victims to blackmail them, and finally get their funds. “ESET SAYS.

The Slovak cybersecurity company tracks these apps under the name SpyLoannoted that it is designed to target potential borrowers located in Southeast Asia, Africa, and Latin America.

The list of apps, now taken down by Google, is below –

  • AA Kredit: Instant Loan App (com.aa.kredit.android)
  • Amor Cash: Préstamos Sin Buró (com.amorcash.credito.prestamo)
  • Oro Préstamo – Efectivo rápido (com.app.lo.go)
  • Cashwow (com.cashwow.cow.eg)
  • CrediBus Préstamos de crédito (com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash)
  • Loan with confidence – Loan with confidence (com.flashloan.wsft)
  • PréstamosCrédito – GuayabaCash (com.guayaba.cash.okredito.mx.tala)
  • Préstamos De Crédito-YumiCash (com.loan.cash.credit.tala.prestmo.fast.branch.mectamo)
  • Go Crédito – de confianza (com.mlo.xango)
  • Instant Loan (com.mmp.optima)
  • Cartera grande (com.mxolp.postloan)
  • Rápido Crédito (com.okey.prestamo)
  • Finupp Lending (com.shuiyiwenhua.gl)
  • 4S Cash (com.swefjjghs.weejteop)
  • TrueNaira – Online Loan (com.truenaira.cashloan.moneycredit)
  • EasyCash (king.credit.ng)
  • safe credit – convenient (com.sc.safe.credit)

SMS messages and social media channels such as Twitter, Facebook, and YouTube act as prominent infection channels, although apps are also available for download from scam websites and app stores in third party.

“None of these services provide an option to request a loan using a website, because through a browser extortionists cannot access all the sensitive user data stored in a smartphone and needed for blackmail,” said ESET security researcher Lukáš Štefanko.


The apps are part of a wider scheme that began in 2020, and adds a tranche of more than 300 applications for Android and iOS that KasperskyLookout, and Zimperium were discovered last year and that exploited “victims’ desire for quick money to trap borrowers into predatory loan contracts and require them to provide access to sensitive information such as contacts and SMS messages.”

Apart from harvesting information from compromised devices, SpyLoan operators have also been observed resorting to blackmail and harassment tactics to pressure victims into payment by threatening to release their photos and videos. on social media platforms.

In one MESSAGES identified by The Hacker News and posted on the Google Play Help Community earlier this February, a user from Nigeria called out EasyCash for “fraudulently providing loans to their victims with high and exorbitant interest rates and forced them to pay using threats of blackmails, defamation, and character assassination when it was clear that they had the debtor’s address and full government name including their bank identification number (BVN), but they still continued to humiliate the people who put them under unnecessary pressure and panic.

Additionally, apps use misleading privacy policies to explain why they need permissions to media files, cameras, calendars, contacts, call logs, and SMS messages. user. Some of the apps also include a link to fake websites, full of stolen photos of the office environment and stock images, in an effort to give their operations a veil of legitimacy.

To minimize the risks caused by such spyware threatsit is advised to stick to official sources for downloading apps, validating the authenticity of such offers, as well as paying close attention to reviews and permissions before installing.

SpyLoan serves as an “important reminder of the risks borrowers face when seeking financial services online,” Štefanko said. “These malicious applications take advantage of the trust that users place in legitimate loan providers, using sophisticated methods to deceive and steal a very wide range of personal information.”

The development also follows the reemergence of an Android banking trojan named TrickMo that disguises itself as a free-to-play streaming app and is equipped with upgraded capabilities, such as stealing screen content, download runtime modules, and overlay injection to obtain credentials from targeted applications, in addition. to use JsonPacker to hide his malicious code.

“The malware’s transition to overlay attacks, its use of JsonPacker for code obfuscation, and its consistent behavior on command and control servers highlight the threat actor’s dedication to refining their strategies ,” Cyble SAYS in an analysis last week.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment