There were reports of several Android loan apps that pretended to be providing loan services and easy access to funds, which were found to be malicious apps that collected personal and financial information from the victims.
These applications are identified as “SpyLoan” apps as they collect users’ sensitive information and use them to extort money. More than 17 applications that were available on Google Play were discovered, reported, and subsequently removed.
According to the reviews of these applications, the owners of these apps were harassing customers even if the loan was not provided to the users. The targeted users of these apps were based in Southeast Asia, Africa, and Latin America.
These applications were distributed among victims through social media, SMS messages, and scam websites. It is important to note that all of these applications have the same behavior and functions.
The operators of these applications were mainly from Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria and Singapore.
Malicious Android Loan Apps
Once these apps are installed on the victim’s device, they are prompted to accept the terms of service and requested to provide too much permission on the device. These permissions allow users to access sensitive information on the device. A mobile phone number registration process is also made to confirm the user’s country of residence.
To complete the loan application process, users are forced to provide personal information such as contact information, address details, proof of income, banking account information, and selfie confirmations.
Along with this information, these applications also collect a list of accounts, call logs, calendar events, device information, installed applications list, local Wi-Fi network information, and other EXIF metadata of images and photographs on the device.
Data Exfiltration and Modus Operandi
This collected information is then transferred to the C&C server with several techniques like code obfuscation, encrypted strings, and encrypted communication between the C2 server and the device.
However, Google updated its policies on Google Play in May 2023, which prohibited applications from asking to access sensitive information like images, videos, contacts, phone numbers, location, and storage access.
Though this policy prohibited several applications from getting inside Google Play, existing applications were still having all these permissions provided.
Furthermore, the victims of these applications are threatened with extorting more money from the application operators. These kinds of applications specifically affected vulnerable individuals in urgent need of money and borrowers with limited access to legitimate financial institutions.
A complete report about these kinds of malicious blackmailing applications has been published, providing detailed information about the source code, operations, and others.
Indicators of Compromise
Files
| SHA-1 | Filename | Detection | Description |
| 136067AC519C23EF7B9E8EB788D1F5366CCC5045 | com.aa.kredit.android.apk | Android/SpyLoan.AN | SpyLoan malware. |
| C0A6755FF0CCA3F13E3C9980D68B77A835B15E89 | com.amorcash.credito.prestamo.apk | Android/SpyLoan.BE | SpyLoan malware. |
| 0951252E7052AB86208B4F42EB61FC40CA8A6E29 | com.app.lo.go.apk | Android/Spy.Agent.CMO | SpyLoan malware. |
| B4B43FD2E15FF54F8954BAC6EA69634701A96B96 | com.cashwow.cow.eg.apk | Android/Spy.Agent.EY | SpyLoan malware. |
| D5104BB07965963B1B08731E22F00A5227C82AF5 | com.dinero.profin.prestamo.credito.credit.credibus.loan.efectivo.cash.apk | Android/Spy.Agent.CLK | SpyLoan malware. |
| F79D612398C1948DDC8C757F9892EFBE3D3F585D | com.flashloan.wsft.apk | Android/Spy.Agent.CNB | SpyLoan malware. |
| C0D56B3A31F46A7C54C54ABEE0B0BBCE93B98BBC | com.guayaba.cash.okredito.mx.tala.apk | Android/Spy.Agent.CLK | SpyLoan malware. |
| E5AC364C1C9F93599DE0F0ADC2CF9454F9FF1534 | com.loan.cash.credit.tala.prestmo.fast.branch.mextamo.apk | Android/SpyLoan.EZ | SpyLoan malware. |
| 9C430EBA0E50BD1395BB2E0D9DDED9A789138B46 | com.mlo.xango.apk | Android/Spy.Agent.CNA | SpyLoan malware. |
| 6DC453125C90E3FA53988288317E303038DB3AC6 | com.mmp.optima.apk | Android/Spy.Agent.CQX | SpyLoan malware. |
| 532D17F8F78FAB9DB953970E22910D17C14DDC75 | com.mxolp.postloan.apk | Android/Spy.KreditSpy.E | SpyLoan malware. |
| 720127B1920BA8508D0BBEBEA66C70EF0A4CBC37 | com.okey.prestamo.apk | Android/Spy.Agent.CNA | SpyLoan malware. |
| 2010B9D4471BC5D38CD98241A0AB1B5B40841D18 | com.shuiyiwenhua.gl.apk | Android/Spy.KreditSpy.C | SpyLoan malware. |
| 892CF1A5921D34F699691A67292C1C1FB36B45A8 | com.swefjjghs.weejteop.apk | Android/SpyLoan.EW | SpyLoan malware. |
| 690375AE4B7D5D425A881893D0D34BB63462DBBF | com.truenaira.cashloan.moneycredit.apk | Android/SpyLoan.FA | SpyLoan malware. |
| 1F01654928FC966334D658244F27215DB00BE097 | king.credit.ng.apk | Android/SpyLoan.AH | SpyLoan malware. |
| DF38021A7B0B162FA661DB9D390F038F6DC08F72 | om.sc.safe.credit.apk | Android/Spy.Agent.CME | SpyLoan malware. |
Network
| Domain | Hosting provider | First seen | Details |
| pss.aakredit[.]in | Amazon.com, Inc. | 2023-03-27 | C&C server. |
| www.guayabacash[.]com | Amazon.com, Inc. | 2021-10-17 | C&C server. |
| eg.easycredit-app[.]com | Amazon.com, Inc. | 2022-11-26 | C&C server. |
| ag.ahymvoxxg[.]com | HUAWEI CLOUDS | 2022-05-28 | C&C server. |
| hwpamjvk.whcashph[.]com | Alibaba (US) Technology Co., Ltd. | 2020-01-22 | C&C server. |
| qt.qtzhreop[.]com | Alibaba (US) Technology Co., Ltd. | 2022-03-22 | C&C server. |
| rest.bhvbhgvh[.]space | Alibaba (US) Technology Co., Ltd. | 2021-10-26 | C&C server. |
| la6gd.cashwow[.]club | Alibaba (US) Technology Co., Ltd. | 2022-10-28 | C&C server. |
| mpx.mpxoptim[.]com | Alibaba (US) Technology Co., Ltd. | 2023-04-24 | C&C server. |
| oy.oyeqctus[.]com | ALICLOUD-US | 2023-01-27 | C&C server. |
| iu.iuuaufbt[.]com | Alibaba (US) Technology Co., Ltd. | 2022-03-01 | C&C server. |
| kk.softheartlend2[.]com | IRT-HIPL-SG | 2023-01-28 | C&C server. |
| www.credibusco[.]com | Amazon.com, Inc. | 2022-03-26 | C&C server. |
| cy.amorcash[.]com | Cloudflare, Inc. | 2023-01-24 | C&C server. |
| api.yumicash[.]com | HUAWEI CLOUDS | 2020-12-17 | C&C server. |
| app.truenaira[.]co | IRT-UCLOUD-HK | 2021-10-18 | C&C server. |
| apitai.coccash[.]com | Cloudflare, Inc. | 2021-10-21 | C&C server. |