Malicious Android Loan Apps Steal Users Personal & Financial Data


There were reports of several Android loan apps that pretended to be providing loan services and easy access to funds, which were found to be malicious apps that collected personal and financial information from the victims.

These applications are identified as “SpyLoan” apps as they collect users’ sensitive information and use them to extort money. More than 17 applications that were available on Google Play were discovered, reported, and subsequently removed.

According to the reviews of these applications, the owners of these apps were harassing customers even if the loan was not provided to the users. The targeted users of these apps were based in Southeast Asia, Africa, and Latin America.

These applications were distributed among victims through social media, SMS messages, and scam websites. It is important to note that all of these applications have the same behavior and functions.

The operators of these applications were mainly from Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria and Singapore. 

Malicious Android Loan Apps

Once these apps are installed on the victim’s device, they are prompted to accept the terms of service and requested to provide too much permission on the device. These permissions allow users to access sensitive information on the device. A mobile phone number registration process is also made to confirm the user’s country of residence.

To complete the loan application process, users are forced to provide personal information such as contact information, address details, proof of income, banking account information, and selfie confirmations. 

Code for Extracting Permission (Source: ESET)

Along with this information, these applications also collect a list of accounts, call logs, calendar events, device information, installed applications list, local Wi-Fi network information, and other EXIF metadata of images and photographs on the device.

Data Exfiltration and Modus Operandi

This collected information is then transferred to the C&C server with several techniques like code obfuscation, encrypted strings, and encrypted communication between the C2 server and the device.

However, Google updated its policies on Google Play in May 2023, which prohibited applications from asking to access sensitive information like images, videos, contacts, phone numbers, location, and storage access. 

Though this policy prohibited several applications from getting inside Google Play, existing applications were still having all these permissions provided.

Furthermore, the victims of these applications are threatened with extorting more money from the application operators. These kinds of applications specifically affected vulnerable individuals in urgent need of money and borrowers with limited access to legitimate financial institutions.

Reviews about Blackmail and threats (Source: ESET)

A complete report about these kinds of malicious blackmailing applications has been published, providing detailed information about the source code, operations, and others.

Indicators of Compromise

Files

SHA-1 Filename Detection Description
136067AC519C23EF7B9E8EB788D1F5366CCC5045 com.aa.kredit.android.apk Android/SpyLoan.AN SpyLoan malware.
C0A6755FF0CCA3F13E3C9980D68B77A835B15E89 com.amorcash.credito.prestamo.apk Android/SpyLoan.BE SpyLoan malware.
0951252E7052AB86208B4F42EB61FC40CA8A6E29 com.app.lo.go.apk Android/Spy.Agent.CMO SpyLoan malware.
B4B43FD2E15FF54F8954BAC6EA69634701A96B96 com.cashwow.cow.eg.apk Android/Spy.Agent.EY SpyLoan malware.
D5104BB07965963B1B08731E22F00A5227C82AF5 com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash.apk Android/Spy.Agent.CLK SpyLoan malware.
F79D612398C1948DDC8C757F9892EFBE3D3F585D com.flashloan.wsft.apk Android/Spy.Agent.CNB SpyLoan malware.
C0D56B3A31F46A7C54C54ABEE0B0BBCE93B98BBC com.guayaba.cash.okredito.mx.tala.apk Android/Spy.Agent.CLK SpyLoan malware.
E5AC364C1C9F93599DE0F0ADC2CF9454F9FF1534 com.loan.cash.credit.tala.prestmo.fast.branch.mextamo.apk Android/SpyLoan.EZ SpyLoan malware.
9C430EBA0E50BD1395BB2E0D9DDED9A789138B46 com.mlo.xango.apk Android/Spy.Agent.CNA SpyLoan malware.
6DC453125C90E3FA53988288317E303038DB3AC6 com.mmp.optima.apk Android/Spy.Agent.CQX SpyLoan malware.
532D17F8F78FAB9DB953970E22910D17C14DDC75 com.mxolp.postloan.apk Android/Spy.KreditSpy.E SpyLoan malware.
720127B1920BA8508D0BBEBEA66C70EF0A4CBC37 com.okey.prestamo.apk Android/Spy.Agent.CNA SpyLoan malware.
2010B9D4471BC5D38CD98241A0AB1B5B40841D18 com.shuiyiwenhua.gl.apk Android/Spy.KreditSpy.C SpyLoan malware.
892CF1A5921D34F699691A67292C1C1FB36B45A8 com.swefjjghs.weejteop.apk Android/SpyLoan.EW SpyLoan malware.
690375AE4B7D5D425A881893D0D34BB63462DBBF com.truenaira.cashloan.moneycredit.apk Android/SpyLoan.FA SpyLoan malware.
1F01654928FC966334D658244F27215DB00BE097 king.credit.ng.apk Android/SpyLoan.AH SpyLoan malware.
DF38021A7B0B162FA661DB9D390F038F6DC08F72 om.sc.safe.credit.apk Android/Spy.Agent.CME SpyLoan malware.

Network

Domain Hosting provider First seen Details
pss.aakredit[.]in Amazon.com, Inc. 2023-03-27 C&C server.
www.guayabacash[.]com Amazon.com, Inc. 2021-10-17 C&C server.
eg.easycredit-app[.]com Amazon.com, Inc. 2022-11-26 C&C server.
ag.ahymvoxxg[.]com HUAWEI CLOUDS 2022-05-28 C&C server.
hwpamjvk.whcashph[.]com Alibaba (US) Technology Co., Ltd. 2020-01-22 C&C server.
qt.qtzhreop[.]com Alibaba (US) Technology Co., Ltd. 2022-03-22 C&C server.
rest.bhvbhgvh[.]space Alibaba (US) Technology Co., Ltd. 2021-10-26 C&C server.
la6gd.cashwow[.]club Alibaba (US) Technology Co., Ltd. 2022-10-28 C&C server.
mpx.mpxoptim[.]com Alibaba (US) Technology Co., Ltd. 2023-04-24 C&C server.
oy.oyeqctus[.]com ALICLOUD-US 2023-01-27 C&C server.
iu.iuuaufbt[.]com Alibaba (US) Technology Co., Ltd. 2022-03-01 C&C server.
kk.softheartlend2[.]com IRT-HIPL-SG 2023-01-28 C&C server.
www.credibusco[.]com Amazon.com, Inc. 2022-03-26 C&C server.
cy.amorcash[.]com Cloudflare, Inc. 2023-01-24 C&C server.
api.yumicash[.]com HUAWEI CLOUDS 2020-12-17 C&C server.
app.truenaira[.]co IRT-UCLOUD-HK 2021-10-18 C&C server.
apitai.coccash[.]com Cloudflare, Inc. 2021-10-21 C&C server.



Source link