Predatory app downloaded 100,000 times from Google Play Store steals data, uses it for blackmail
A malicious app claiming to be a financial management tool has been downloaded 100,000 times from the Google Play Store. The app— known as “Finance Simplified”—belongs to the SpyLoan family which specializes in predatory lending.
Sometimes malware creators manage to get their apps listed in the official app store. This is a great benefit for them since it lends a sense of legitimacy to the app, and they don’t have to convince users to sideload the app from an unofficial site.
So, it gives them a much larger audience, they can lean on the trust we invest in the official app stores and users don’t have to do anything they might perceive as suspicious.
While Google has enhanced security measures in place—including AI-powered threat detection and real-time scanning— that are designed to detect and block malicious apps more effectively, the cat-and-mouse game between cybercriminals and security measures continues, with each side trying to outsmart the other.
In this case, the loan app evaded detection on Google Play, by loading a WebView to redirect users to an external website from where they could download the app hosted on an Amazon EC2 server.
Predatory lending is any lending practice where the borrower is taken advantage of by the lender. Predatory lenders impose lending terms that are unfair or abusive.
The apps in the SpyLoan family offer attractive loan terms with virtually no background checks. But when the apps are installed, they steal information from the victim’s device that can be used to blackmail the victim. Especially when they miss any payments on the loan.
Among the stolen information are listed contacts, call logs, text messages, photos, and the device’s location.
Although the app has now been removed from Google Play, it may continue to run on affected devices, collecting sensitive information in the background.
The researchers found that the app only targets users in India with the recommended loan applications and the redirect to an external website.
The information stolen from users could well be used for malicious purposes or sold to other cybercriminals.
Losing data related to a financial account can have severe consequences. If you find an app from this family or another information stealer on your device, there are a few guidelines to follow to limit the damage:
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
