New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Android and iOS Loan Apps With 15 million Installs Extorted Borrowers

Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers. To fuel the operation’s extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans. In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android and 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda. Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them. These loan apps found great success in developing countries where people have limited financial opportunities and where reports of fraud are less likely to be prosecuted. When installed, the predatory loan apps requested users grant risky permissions that enabled the threat actors to access sensitive information on the device, such as the contact list, SMS content, photos, media, etc. As soon as the permissions are given, the apps immediately began to upload sensitive data from the device to their own servers. If the user doesn’t approve these permission requests, the app will not allow them to submit loan requests. On the first launch, and after permissions are granted, the user is requested to fill out a KYC (Know Your Customer) form, requesting photographs of government ID cards, etc. Next, the apps offer users deceiving or straight-out false loan terms, so they are convinced to move forward. When the victims receive part of their loan, the interest rate terms change, or previously hidden fees emerge, sometimes reaching up to one-third of the total amount borrowed. Some users also reported that the apps reduced the repayment period from a promised 180 days to only eight days, imposing hefty interest and penalty fees when overdue. When users were unable or unwilling to repay the loans, the app operators begin to harass them using the data stolen in the first stage, contacting people from the device’s list, and disclosing the debt to family and friends. Some scammed users even reported that the lenders sent edited images stolen from the device to contacts, causing great distress.

Analyst Notes

Apple and Google allow micro-loan apps on their app stores but have stringent policies regulating their operation. The guidelines dictate that the minimum repayment period should be 60 days, and the maximum annual percentage rate of charge should be 36%. The above apps claimed terms that complied with these guidelines, but in practice, they followed a very different, much more aggressive approach, so the app stores removed them for term violations. Unfortunately, there needs to be more checks to prevent the operators of these apps from re-submitting these types of apps to the app stores under different names, so users should be vigilant. Anyone interested in using a mobile loan app should read user reviews first, research the lender’s reputation, and carefully consider the permission requests upon installation.