FacebookTwitterLinkedIn

SpyLoan Going After Android Users

Karolis Liucveikis Written by on

According to a recent article published by McAfee, security researchers have noticed a significant spike in the use of predatory loan apps by malicious actors.

These Potentially Unwanted Programs (PUPs) are referred to as SpyLoan applications and typically use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions,  which can lead to extortion, harassment, and financial loss.

SpyLoan Going After Android Users

PCRisk has encountered a variant of these malicious applications called MoneyMonger, which is written in Flutter and actively targets Android users in India and Peru. MoneyMonger's core malware operations facilitate the malware's acting as both spyware and to steal data. Cybercriminals are actively using MoneyMonger to harass and threaten victims directly.

In McAfee's analysis, they encountered fifteen apps with a combined total of over eight million installations acting as SpyLoan facades. All of them present themselves as apps that facilitate fast and easy loans.

Researchers soon discovered they share a common framework to encrypt and exfiltrate data from a victim's device to a command-and-control server using a similar HTTP endpoint infrastructure.

They operate localized in targeted territories, mainly in South America, Southern Asia, and Africa, with some of them being promoted through deceptive advertising on social media, acting as a lure to potential targets needing quick financial relief.

SpyLoan and SpyLoan-like attacks were first detected in 2020 and have become a steady and infuriating presence on the current threat landscape. According to McAfee, their telemetry indicates a rapid increase in their use recently, noting from the end of Q2 to the end of Q3 2024, the number of malicious SpyLoan apps and unique infected devices has increased by over 75%.

McAfee defines SpyLoan applications and their subsequent attack chain as follows,

SpyLoan apps are intrusive financial applications that lure users with promises of quick and flexible loans, often featuring low rates and minimal requirements. While these apps may seem to offer genuine value, the reality is that these apps primarily exist to collect as much personal information as possible, which they then may exploit to harass and extort users into paying predatory interest rates. They employ questionable tactics, such as deceptive marketing that highlights time-limited offers and countdowns, creating a false sense of urgency to pressure users into making hasty decisions. Ultimately, rather than providing genuine financial assistance, these apps can lead users into a cycle of debt and privacy violations.

SpyLoan Infection Chain

While the details of an attack differ from country to country, a few common threads link the different attacks enough to consider them related. These similarities exist both at the code and infrastructure levels.

The first notable similarity is that they are distributed via official App stores, like Google's Play Store. These are most certainly contraventions of app store policy, and some have been removed following McAfee's disclosure to Google. However, once attackers understand the vetting process, they can fly malicious applications under the radar by hiding their malicious components.

On the social engineering front, these apps are often deceptively marketed on social media platforms. Malicious actors use names, logos, and user interfaces that mimic reputable financial institutions to gain credibility. Attacks analyzed by McAfee also show remarkably similar user flow execution.

Researchers stated,

After first execution a privacy policy is displayed with the details of what information will be collected, then a countdown timer creates the sense of urgency to apply to the loan offer and the user’s phone number with the country code of the targeted territory is required to continue, asking for a one-time-password (OTP) that is received by SMS to authenticate the user and validate that user has a phone number from the targeted country.

Apps analyzed also have the same interface design and predatory privacy agreements that require users to consent to collect excessive and exploitative data that a formal financial institution would not usually require, such as SMS message content, call logs, and contact lists.

Apps, like other malicious apps, require users to agree to excessive app permissions, including camera access, reading call logs and SMSes, retrieving location information, and the infected device's state.

McAfee concluded,

The threat of Android apps like SpyLoan is a global issue that exploits users’ trust and financial desperation. These apps leverage social engineering to bypass technical security measures and inflict significant harm on individuals. Despite law enforcement actions to capture multiple groups linked to the operation of SpyLoan apps, new operators and cybercriminals continue to exploit these fraud activities, especially in South America, Southeast Asia and Africa.

It was also noted that by simply reusing code and tactics, they could efficiently target different countries, often evading detection by authorities. This creates a widespread problem that is difficult to combat. This networked approach not only increases the scale of the threat but also complicates efforts to trace and shut down these operations, as they can easily adapt and relocate their operations to new regions.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog