Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers. To fuel the operation’s extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans. In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android and 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda. Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them. These loan apps found great success in developing countries where people have limited financial opportunities and where reports of fraud are less likely to be prosecuted. When installed, the predatory loan apps requested users grant risky permissions that enabled the threat actors to access sensitive information on the device, such as the contact list, SMS content, photos, media, etc. As soon as the permissions are given, the apps immediately began to upload sensitive data from the device to their own servers. If the user doesn’t approve these permission requests, the app will not allow them to submit loan requests. On the first launch, and after permissions are granted, the user is requested to fill out a KYC (Know Your Customer) form, requesting photographs of government ID cards, etc. Next, the apps offer users deceiving or straight-out false loan terms, so they are convinced to move forward. When the victims receive part of their loan, the interest rate terms change, or previously hidden fees emerge, sometimes reaching up to one-third of the total amount borrowed. Some users also reported that the apps reduced the repayment period from a promised 180 days to only eight days, imposing hefty interest and penalty fees when overdue. When users were unable or unwilling to repay the loans, the app operators begin to harass them using the data stolen in the first stage, contacting people from the device’s list, and disclosing the debt to family and friends. Some scammed users even reported that the lenders sent edited images stolen from the device to contacts, causing great distress.
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.