Called “potentially harmful apps”, they offer deceptively attractive loan terms, but will subsequently lead to usury, spying, harassment and blackmail.

Beware of deceptive loan apps (Android platform) that claim to be from legitimate personal loan services promising quick and easy access to funds.

Despite their attractive promises, these apps and their associated services are in fact designed to defraud users by offering them high-interest-rate loans using deceitful descriptions, all while collecting personal and financial information for blackmailing purposes.

Dubbed “SpyLoan” products by the ESET researchers that caught on to their rising numbers in Google Play, the “potentially harmful applications” are marketed through social media and SMS messages. They can also be traced to scam websites and third-party app stores. 

So far, 18 SpyLoan apps have been detected and reported to Google, which had since removed 17 of from their platform. The apps had been downloaded more than 12m times before their removal. 

Every instance of a particular SpyLoan app, regardless of its source, behaves identically due to its identical underlying code. It does not matter whether the app was downloaded from a suspicious website, a third-party app store, or Google Play: users will experience the same functions and face the same risks. Once users have accepted the terms of service and granted extensive permissions to the app to access sensitive data stored on the device to be eligible for any loans, the app’s enforcers will start to pressure their victims into making payments, even if — according to the reviews — the user did not apply for a loan, or did apply for one but was rejected.  

SpyLoan app origins

According to ESET telemetry, the enforcers of these apps operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore. There are currently no active campaigns targeting European countries, the USA, or Canada.

According to the firm’s researcher Lukáš Štefanko, who was responsible for uncovering many of the SpyLoan apps: “These malicious applications exploit the trust that users place in legitimate loan providers, using sophisticated techniques to deceive people and steal a very wide range of personal information,” including call logs, calendar events, device information, lists of installed apps, local Wi-Fi network information, and even information about files on the device.

Additionally, contact lists, location data, and SMS messages are vulnerable. The perpetrators will encrypt all the stolen data before transmitting it to the command and control server, for spying, harassment, blackmail and other purposes.