Beware: SpyLoan Apps Exploit Social Engineering to Steal Your Data

SpyLoan apps deceptively market quick loans but primarily collect personal data to exploit users through harassment and extortion by employing high-pressure tactics and predatory interest rates, trapping users in a cycle of debt and privacy breaches.

These deceptive apps, often distributed through official app stores, leverage deceptive marketing tactics to mimic legitimate financial institutions and bypass app store vetting processes to gain user trust and exploit unsuspecting individuals.

The ad promotes a quick loan app, “Presta Facil: Revision Rapida,” highlighting key loan details like interest rates, amount, and tenure in Colombian pesos. After initial use, a privacy policy is displayed, followed by a timed prompt for phone number verification via OTP. 

Ad for a SpyLoan app

It shares a common framework, including user interface, user flow, encryption libraries, and C2 communication techniques, while customizing graphics and language for specific target markets like Indonesia and Mexico.

The apps collect excessive personal data, including SMS, call logs, and contacts, under the guise of user identification and fraud prevention, which exceeds typical financial institution practices and is facilitated by a shared web framework that dynamically loads privacy terms, making them difficult to scrutinize.

By masquerading as loan providers but requesting excessive permissions like camera access, call logs, SMS, and location data—it is far beyond what’s needed for financial services, raising red flags for potential malware. 

The apps employ a deceptive onboarding process using urgent offers and quick phone validation to lure users into providing sensitive personal, financial, and device data.

Three different apps, from different developers, offering the same initial countdown onboarding screen

Mobile loan apps can financially exploit users through hidden fees and unauthorized charges, violate privacy by misusing personal data, and engage in harassment and extortion, including blackmail and sextortion.

McAfee identified a group of malicious loan apps (Android/SpyLoan.DE) that steal user data and transmit it encrypted (AES-128, https) with a hardcoded key and initialization vector embedded in the app code, which exposes users’ information and increases psychological distress through aggressive tactics. 

 Encryption key and IV hardcoded in SpyLoan variant

The SpyLoan app hides malicious code using AES encryption to steal user data, which includes SMS messages, call logs, device information (IMEI, location), an app list, and even files from the download directory, where the stolen data is formatted as JSON and sent to attacker servers using a specific URL pattern. 

It uses an encryption routine to hide strings in resources.xml that allow them to exfiltrate sensitive data like SMS messages, call logs, and device information, which is encrypted again and sent to a Command and Control server via a specific URL structure. 

To safeguard against financial fraud,  review app permissions, verify app legitimacy, employ robust security measures, practice cautious online behavior, and promptly report suspicious activities to app stores and authorities.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here