SpyLoan Android malware on Google play installed 8 million times

Android

A new set of 15 SpyLoan Android malware apps with over 8 million installs was discovered on Google Play, targeting primarily users from South America, Southeast Asia, and Africa.

The apps were discovered by McAfee, a member of the ‘App Defense Alliance,’ and have now been removed from Android’s official app store.

However, their presence on Google Play is indicative of the threat actors’ persistence, as even recent law enforcement actions against SpyLoan operators have not curbed the issue, says McAfee.

The last major “SpyLoan cleanup” on Google Play was in December 2023, when over a dozen apps that had amassed 12 million downloads were removed.

SpyLoan modus operandi

SpyLoan apps are tools promoted as financial tools that offer users loans through a fast-track approval process under deceptive and often false terms.

Once the victims install those apps, they are validated via a one-time password (OTP) to ensure they’re based in the target region. Then they are requested to submit sensitive identification documents, employee information, and banking account data.

Additionally, the apps misuse their permissions on the device to collect extensive sensitive data, including access to the user’s contact lists, SMS, camera, call log, and location, to use in the extortion process.

McAfee notes that the aggressive data-gathering tactics of these apps extend to exfiltrating all SMS messages on the victim’s device, as well as GPS/network location, device information, OS details, and sensor data.

Code to exfiltrate all SMS
Code to exfiltrate all SMS
Source: McAfee

Once a user gets a loan through the app, they are bound to high-interest payments, and regularly harassed and blackmailed by the operators using the data stolen from their phones. In some cases, the scammers call family members of the loanee, harassing them as well.

8 million downloads on Google Play

McAfee’s investigation identified 15 malicious SpyLoan apps, which have been installed over 8 million times through the Play Store alone. Below is a list of the eight most popular:

  • Préstamo Seguro-Rápido, Seguro – 1,000,000 downloads, primarily targets Mexico
  • Préstamo Rápido-Credit Easy – 1,000,000 downloads, primarily targets Colombia
  • ได้บาทง่ายๆ-สินเชื่อด่วน – 1,000,000 downloads, primarily targets Senegal
  • RupiahKilat-Dana cair – 1,000,000 downloads, primarily targets Senegal
  • ยืมอย่างมีความสุข – เงินกู้ – 1,000,000 downloads, primarily targets Thailand
  • เงินมีความสุข – สินเชื่อด่วน – 1,000,000 downloads, primarily targets Thailand
  • KreditKu-Uang Online – 500,000 downloads, primarily targets Indonesia
  • Dana Kilat-Pinjaman kecil – 500,000 downloads, primarily targets Indonesia
Four SpyLoan apps on Google Play
Four SpyLoan apps on Google Play
Source: McAfee

Despite Google’s app review mechanisms to block software that violates the Play Store’s terms, SpyLoan apps continue to slip through the cracks.

To protect against this risk, read user reviews, check the developer’s reputation, limit the permissions granted to apps upon installation, and make sure Google Play Protect is active on the device.