Shady personal loan apps could be scamming millions of Android users out of their money and data. Cybersecurity researchers at ESET discovered over a dozen apps, dubbed SpyLoan, deceiving users through predatory tactics.
Advertised as easy loan services, the apps have amassed over 12 million Google Play downloads. But they’re also distributed through third-party stores and social media, so actual numbers are likely much higher.
SpyLoan’s scam starts once users sign up and hand over unnecessary permissions like camera, contacts, and call log access. Soon after securing a loan, terms suddenly shift to unreasonable payback periods of just days. Then threats and public shaming tactics start if repayment deadlines aren’t met, often involving messaging a user’s contacts.
Meanwhile, SpyLoan quietly mines devices for account info, installed apps, Wi-Fi details, calendar data, location history, messages, and images. A full-scale data pillaging.
Such loan scams are nothing new, but have accelerated in 2023, say researchers. Most victims reside in developing nations like Mexico, India, Indonesia, and Peru.
So how did clearly shady apps dupe Google Play defenses? By superficially appearing above board – submitting privacy policies, identity checks and transparent permission requests. But the developers also linked to fake company websites as a smokescreen.
Google has since removed 17 of the 18 identified SpyLoan apps. But one remains, now with reduced permissions, which seemingly satisfied Google’s standards.
So Android users, especially in the developing world, would be wise to steer clear of enticing personal loan apps for now. Millions likely unwittingly handed over their financial and personal information to these scamware operations. Deleting suspicious apps and resetting passwords is probably smart protocol at this point.
