150K+ Users Affected by Malicious Loan Apps on iOS and Google Play

Over 150,000 users across Google Play and the Apple App Store have fallen victim to a malicious SpyLoan application named “RapiPlata,” which was identified in February 2025 by advanced detection engines.

This app, posing as a legitimate financial service primarily targeting Colombian users, achieved a Top 20 ranking in the finance category on SimilarWeb in Colombia, highlighting its deceptive reach.

Despite being removed from official app stores by March 2025, RapiPlata continues to pose a threat through third-party websites that misleadingly present it as an official Google Play download.

RapiPlata App Exploits Trust with Predatory Tactics

Harmony Mobile’s machine learning model flagged the app as malicious, uncovering its invasive access to sensitive data such as SMS messages, call logs, calendar events, and installed applications, all of which were uploaded to its servers without legitimate justification.

The severity of this breach prompted immediate investigations, revealing a broader network of SpyLoan malware operations with connections to a previously identified app, “Préstamo Rápido,” active on Google Play since August 2022 and similarly removed due to identical data-exfiltrating behaviors.

RapiPlata’s malicious functionality exemplifies a severe privacy violation, exploiting permissions under the guise of credit assessment to conduct keyword-based SMS scanning, behavioral data harvesting, and unauthorized exfiltration of personal information.

Upon launch, it indiscriminately uploads entire SMS inboxes, call logs, and calendar data, using flimsy excuses like payment reminders or eligibility checks.

Corporate Threat Vectors

According to Check Point Research Report, on iOS devices, often considered secure, such data theft transforms personal information into corporate breach vectors.

SMS and call logs can expose authentication codes or social connections for spear-phishing, while calendar data reveals sensitive corporate engagements, including Zoom meeting links that attackers can exploit to access confidential discussions.

Additionally, lists of installed apps help cybercriminals tailor malware to exploit specific vulnerabilities, bypassing even robust security measures.

Victims have reported harrowing experiences, including threatening emails and messages to their contacts falsely claiming unpaid loans, showcasing the app’s predatory tactics to coerce repayments for fictitious debts.

The app’s minimal detection on platforms like VirusTotal underscores the evolving sophistication of these threats, often evading traditional security scans through minor syntax changes and new command-and-control servers.

Users are urged to adopt advanced mobile security solutions like Check Point’s Harmony Mobile, which proactively blocks such threats, and to rely solely on verified financial institutions rather than untrustworthy third-party apps for loans.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates