Security researchers have identified an extensive new campaign of malicious “SpyLoan” applications affecting both iOS and Android platforms.
At the center of this exposure is “RapiPlata,” a fraudulent loan app initially available in both the Google Play Store and Apple App Store, which has been downloaded over 150,000 times.
The fallout highlights not only the substantial technical risks posed by such applications but also the aggressive tactics and wide-scale data theft employed by threat actors.
Technical Discovery
The campaign first came to light in February 2025, when advanced mobile threat detection engines specifically, Check Point’s Harmony Mobile flagged the RapiPlata app as malicious on a victim’s device.
The app, which achieved significant popularity (Top 20 in SimilarWeb’s finance category in Colombia), was accessible on both major app marketplaces until its removal in March 2025.
However, despite its ban from official stores, RapiPlata has persisted in the wild through third-party websites, which deceptively present the app as a legitimate download from Google Play, thereby extending its impact among unsuspecting users.
An in-depth analysis revealed RapiPlata’s extensive abuse of permissions under the pretense of “credit assessment.”
The app systematically collected sensitive data, including SMS messages, call logs, calendar events, installed applications, and contact lists. These were uploaded to remote servers without user knowledge or consent.
Notably, the app harvested SMS messages using a broad keyword list, indiscriminately exfiltrating data even non-financial in nature to its backend infrastructure.
Victims not only faced unauthorized data collection but also aggressive harassment techniques: the application, through its operators, sent threatening emails and messages to both users and their contacts, falsely accusing them of loan defaults and threatening reputational damage.
There were also cases of fabricated fees, unauthorized loan approvals, and deceptive interest rate claims confirming the operation as a full-scale fraudulent scheme.
Cross-Platform Impact
RapiPlata shares technical lineage with previously removed threats like “Préstamo Rápido.”
Researchers have traced clear code, infrastructure, and registrar similarities between these campaigns.
Minor syntax changes and new command-and-control endpoints are believed to have been attempts at detection evasion.
While Android users faced direct risks due to relaxed permission models, iOS users were not immune.
Attackers leveraged exfiltrated personal data to construct sophisticated intelligence profiles that could be weaponized for spear-phishing, bypassing 2FA, or infiltrating corporate environments demonstrating that even devices with robust security frameworks can be breached when malicious apps are granted excessive permissions.
Despite removal from the Google Play and App Stores, RapiPlata’s distribution infrastructure remains active.
For instance, its “official” website features fake Google Play download buttons that link to unauthorized APKs, perpetuating both infection rates and privacy violations.
Associated domains and payload sources have been mapped to the same campaign, indicating a coordinated effort to sustain operations outside the boundaries of regulated app stores.
This incident underscores the need for proactive mobile security solutions and vigilant app store oversight.
According to the Report, Advanced solutions like Harmony Mobile use machine learning and multi-source threat intelligence to detect such threats before execution, block malicious exfiltration attempts, and provide real-time alerts to users and administrators.
Security professionals recommend downloading apps only from verified sources, closely reviewing app permissions, and opting for financial services provided by regulated institutions. With the continued evolution of SpyLoan malware, users must remain watchful.
Enterprises, in particular, are urged to implement layered security architectures to mitigate the risk of personal mobile devices being leveraged as vectors for broader organizational breaches.
Indicators of Compromise (IOC)
| Indicator Type | Value/Details |
|---|---|
| Malicious Domains | https://www.dineroya[.]co/, https://www.rapiplata[.]co, https://home.parkwaysas[.]co/, https://www.rapiplata[.]pe/ |
| Payload URL | https://t[.]copii[.]co/9YEPe |
| RapiPlata SHA256 Samples | d2413262042fa01e679795298d4541a114a73574c09d93240be64303946fc7f4 e0028b4cfe4216f49556f4e5b6b5fd62ebd3cbce0ed774efe893e86ee65fb649 3f87000c43f3cc2e37019ed590da72ec0c6c663257734095c5fd9306c11a6ce5 ea453b597cf6610e9a7f4e87e25509d3d48e50f2fbd2cc65f3f641566448511f f13238211b5df56eb8901fb2d8d11355ab4f442f24f45c79b14e60c83a1d48b9 cf597690738b875daddb964abc313b34049c76afb001df0f3b8bcd9f3d358826 afb116cf99c020419679684035ff7c4e3ecdfce6c8842108c228eef4a13058bd |
| Prestamo Rapido SHA256 Samples | f19c438d98921e5cb468395228fe51f98eb1670a20b3f7cad40783cc5a6156ca 5a81cfd390f96b1797b65ecf528d6f2dc110a2393192e27c92e7232be8b31efc bca3a8a2ef6733e379b4b2e17c4b51f1b2ac147101b3196182c103a64d7059e7 608ffecca9c20b1b8da704256727225987d2da7223e106e5f2dea3c383bfe6a3 99b61add54c2e322f1ab48260197e10a99e1fd039a97744f2d14320c5c0ca646 37086709e265de909df5b84384b934c9f5427f4b636287da6d1f9ecc70c73a9c 2093d63e9bd882e0fe4033aa78544481e1ddf7f3d9932b1df6afa08fbeb795f0 da6ccef711ad52b598a34de69b4dbefd21242b75a79272463bc66d3935e0e6a2 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
