Malicious Android Loan Apps Steal Users Personal & Financial Information

There were reports of several Android loan apps that pretended to be providing loan services and easy access to funds, which were found to be malicious apps that collected personal and financial information from the victims.

These applications are identified as “SpyLoan” apps as they collect users’ sensitive information and use them to extort money. More than 17 applications that were available on Google Play were discovered, reported, and subsequently removed.

According to the reviews of these applications, the owners of these apps were harassing customers even if the loan was not provided to the users. The targeted users of these apps were based in Southeast Asia, Africa, and Latin America.

These applications were distributed among victims through social media, SMS messages, and scam websites. It is important to note that all of these applications have the same behavior and functions.

The operators of these applications were mainly from Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria and Singapore. 

Malicious Android Loan Apps

Once these apps are installed on the victim’s device, they are prompted to accept the terms of service and requested to provide too much permission on the device. These permissions allow users to access sensitive information on the device. A mobile phone number registration process is also made to confirm the user’s country of residence.

To complete the loan application process, users are forced to provide personal information such as contact information, address details, proof of income, banking account information, and selfie confirmations. 

Along with this information, these applications also collect a list of accounts, call logs, calendar events, device information, installed applications list, local Wi-Fi network information, and other EXIF metadata of images and photographs on the device.

Data Exfiltration and Modus Operandi

This collected information is then transferred to the C&C server with several techniques like code obfuscation, encrypted strings, and encrypted communication between the C2 server and the device.

However, Google updated its policies on Google Play in May 2023, which prohibited applications from asking to access sensitive information like images, videos, contacts, phone numbers, location, and storage access. 

Though this policy prohibited several applications from getting inside Google Play, existing applications were still having all these permissions provided.

Furthermore, the victims of these applications are threatened with extorting more money from the application operators. These kinds of applications specifically affected vulnerable individuals in urgent need of money and borrowers with limited access to legitimate financial institutions.

A complete report about these kinds of malicious blackmailing applications has been published, providing detailed information about the source code, operations, and others.

Indicators of Compromise

Files

SHA-1	Filename	Detection	Description
136067AC519C23EF7B9E8EB788D1F5366CCC5045	com.aa.kredit.android.apk	Android/SpyLoan.AN	SpyLoan malware.
C0A6755FF0CCA3F13E3C9980D68B77A835B15E89	com.amorcash.credito.prestamo.apk	Android/SpyLoan.BE	SpyLoan malware.
0951252E7052AB86208B4F42EB61FC40CA8A6E29	com.app.lo.go.apk	Android/Spy.Agent.CMO	SpyLoan malware.
B4B43FD2E15FF54F8954BAC6EA69634701A96B96	com.cashwow.cow.eg.apk	Android/Spy.Agent.EY	SpyLoan malware.
D5104BB07965963B1B08731E22F00A5227C82AF5	com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash.apk	Android/Spy.Agent.CLK	SpyLoan malware.
F79D612398C1948DDC8C757F9892EFBE3D3F585D	com.flashloan.wsft.apk	Android/Spy.Agent.CNB	SpyLoan malware.
C0D56B3A31F46A7C54C54ABEE0B0BBCE93B98BBC	com.guayaba.cash.okredito.mx.tala.apk	Android/Spy.Agent.CLK	SpyLoan malware.
E5AC364C1C9F93599DE0F0ADC2CF9454F9FF1534	com.loan.cash.credit.tala.prestmo.fast.branch.mextamo.apk	Android/SpyLoan.EZ	SpyLoan malware.
9C430EBA0E50BD1395BB2E0D9DDED9A789138B46	com.mlo.xango.apk	Android/Spy.Agent.CNA	SpyLoan malware.
6DC453125C90E3FA53988288317E303038DB3AC6	com.mmp.optima.apk	Android/Spy.Agent.CQX	SpyLoan malware.
532D17F8F78FAB9DB953970E22910D17C14DDC75	com.mxolp.postloan.apk	Android/Spy.KreditSpy.E	SpyLoan malware.
720127B1920BA8508D0BBEBEA66C70EF0A4CBC37	com.okey.prestamo.apk	Android/Spy.Agent.CNA	SpyLoan malware.
2010B9D4471BC5D38CD98241A0AB1B5B40841D18	com.shuiyiwenhua.gl.apk	Android/Spy.KreditSpy.C	SpyLoan malware.
892CF1A5921D34F699691A67292C1C1FB36B45A8	com.swefjjghs.weejteop.apk	Android/SpyLoan.EW	SpyLoan malware.
690375AE4B7D5D425A881893D0D34BB63462DBBF	com.truenaira.cashloan.moneycredit.apk	Android/SpyLoan.FA	SpyLoan malware.
1F01654928FC966334D658244F27215DB00BE097	king.credit.ng.apk	Android/SpyLoan.AH	SpyLoan malware.
DF38021A7B0B162FA661DB9D390F038F6DC08F72	om.sc.safe.credit.apk	Android/Spy.Agent.CME	SpyLoan malware.

Network

Domain	Hosting provider	First seen	Details
pss.aakredit[.]in	Amazon.com, Inc.	2023-03-27	C&C server.
www.guayabacash[.]com	Amazon.com, Inc.	2021-10-17	C&C server.
eg.easycredit-app[.]com	Amazon.com, Inc.	2022-11-26	C&C server.
ag.ahymvoxxg[.]com	HUAWEI CLOUDS	2022-05-28	C&C server.
hwpamjvk.whcashph[.]com	Alibaba (US) Technology Co., Ltd.	2020-01-22	C&C server.
qt.qtzhreop[.]com	Alibaba (US) Technology Co., Ltd.	2022-03-22	C&C server.
rest.bhvbhgvh[.]space	Alibaba (US) Technology Co., Ltd.	2021-10-26	C&C server.
la6gd.cashwow[.]club	Alibaba (US) Technology Co., Ltd.	2022-10-28	C&C server.
mpx.mpxoptim[.]com	Alibaba (US) Technology Co., Ltd.	2023-04-24	C&C server.
oy.oyeqctus[.]com	ALICLOUD-US	2023-01-27	C&C server.
iu.iuuaufbt[.]com	Alibaba (US) Technology Co., Ltd.	2022-03-01	C&C server.
kk.softheartlend2[.]com	IRT-HIPL-SG	2023-01-28	C&C server.
www.credibusco[.]com	Amazon.com, Inc.	2022-03-26	C&C server.
cy.amorcash[.]com	Cloudflare, Inc.	2023-01-24	C&C server.
api.yumicash[.]com	HUAWEI CLOUDS	2020-12-17	C&C server.
app.truenaira[.]co	IRT-UCLOUD-HK	2021-10-18	C&C server.
apitai.coccash[.]com	Cloudflare, Inc.	2021-10-21	C&C server.