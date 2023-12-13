This year has seen an alarming growth in deceptive Android apps that present themselves as legitimate personal loan services, promising quick and easy access to money to victims who install them on their devices.

“These services actually are designed to scam users by offering high-interest rate loans backed by misleading descriptions, all while collecting their victims' personal and financial information to blackmail them and ultimately obtain their funds,” explained the cybersecurity company ESET.

This type of applications, known as montadeudas or SpyLoan, have had a great impact in markets such as Mexico, where in recent years it caused the intervention of the authorities to warn about their impact on users.

“According to ESET telemetry, The executors of these apps operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, Chile, Philippines, Egypt, Kenya, Nigeria and Singapore. All of these countries have various laws that regulate private loans, not only their types, but also the transparency of their communication. Any detection outside of these countries could be related to smartphones that have, for various reasons, access to a phone number registered in one of these countries,” the company reported.

A large number of these types of fraudulent applications were on Google Play, but are now marketed via social networks and SMS messages, and can be downloaded from scam websites and third-party app stores.

“As a member of the Google App Defense Alliance, ESET identified and reported to Google 18 SpyLoan applications with more than 12 million downloads on Google Play and that 17 were later eliminated,” he explained.

How the apps work

ESET explained that once a user installs a SpyLoan app, they are asked to accept the terms of service and grant broad permissions to access sensitive data stored on the device.

The app then asks for user registration, which is done via SMS one-time password verification to validate the victim's phone number. These forms select the country code based on the country code of the victim's phone number, ensuring that people with numbers in the target country can create an account.

Once the phone number is verified, users access the loan application feature of the app. To complete the application process, users are forced to provide a large amount of personal information, bank account information, and even upload photos of the front and back of their ID documents, and a selfie.

