November 30, 2022

Lookout Discovers Hundreds of Predatory Loan Apps on Google Play and Apple App Store

A predator's claws grip a mobile phone

Researchers at Lookout have discovered close to 300 mobile loan applications on Google Play and the Apple App Store that exhibit predatory behavior such as exfiltrating excessive user data from mobile devices and harassing borrowers for repayment.

These apps, which were found in Southeast Asian and African countries, as well as India, Colombia, and Mexico, purportedly offer quick, fully-digital loan approvals with reasonable loan terms. In reality, they exploit victims’ desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages.

In addition to predatory requests for excessive permissions, many of the loan operators display scam-like actions. A number of users have reported that their loans come with hidden fees, high interest rates, and repayment terms that are much less favorable than what is posted on the app stores. We also found evidence that the data exfiltrated from devices are sometimes used to pressure for repayment, either by harassing the customers themselves or their contacts.

In total, we uncovered 251 Android apps on the Google Play store with over 15 million collective downloads. We also identified 35 apps on the Apple App Store that were in the top 100 finance apps in their regional stores. Lookout has been in contact with Google and Apple about these apps and at the time of publishing, none of them are available for download. 

Based on our analysis, there are likely dozens of independent operators involved, as we only found shared code bases between small batches of apps. With that said, all the apps have a very similar business model, which is to trick victims into unfair loan terms and threaten them to pay.

Customers of Lookout Mobile Endpoint Security and Lookout Personal Digital Safety are protected from these threats.

Select samples of apps with high installs from different countries. Top row are iOS apps, from left to right: Trycash, India; RupRup, India; LoanZone - online loan, India; CashG, the Philippines; Tunai Cepat - Pinjaman Online, Indonesia. Second row are Android apps, from left to right: FairKash, Kenya; Flash Rupee, India; Peranyo, the Philippines; AnyLoan, Nigeria, EastBay, Colombia.

High concentration of loan scams in developing countries

All the predatory loan apps were found in developing countries. Specifically, we identified apps targeting users in Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda. While we don’t have evidence of where the scam operators reside, it's clear that these regions were identified to be lucrative.

Based on the low review scores of most of the apps, the loan operators don't seem to be afraid of getting caught and find the reputation of the individual apps to be disposable. This may partially be the result of looser financial regulations or lack of enforcement. 

Another factor that these apps are found in developing countries may be the relative ease of access to mobile apps compared to traditional financial services, especially for those that have a lower income. In one instance reported by TechCrunch, a victim decided to use a loan app because their income doesn’t qualify them for a traditional loan. According to the World Bank, 1.4 billion people globally don’t have a bank account, while only 800 million don’t have access to a mobile phone. In the Philippines, for example, only 51% of the population has a bank account compared to 92% that has access to a mobile device.

The focus on developing countries may also explain why we found more loan scam apps on Android than on iOS. Outside the U.S. Android is much more popular, with more than 70% of the market, partly because of the availability of extremely low-cost Android devices.

Lookout discovered predatory loan apps in regional stores of nine countries: Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda.

How do loan scam apps work?

The loan scam apps on both Android and iOS rely on users to provide personal information as part of the loan application process. However, they also require the user to grant permissions to access information on the device that clearly go beyond what a typical loan application would require. 

Here’s a breakdown of the “modus operandi” of these predatory loan apps.

Filling out the loan application

The scam starts out quite innocuous, with the user downloading the app from Google Play or the App Store. They are then prompted to fill out an application, which asks for the applicant’s name, address, employment history, education, and banking information — all the typical data that a legitimate institution would request.

Most of the apps also ask for something that has become quite common: ID verification with a video selfie. While this is a process that many legitimate apps also use, we assess that the loan scam apps expose users to significantly higher risks. 

Most of the predatory loan apps request ID verification via a video selfie. The two screenshots on the left are from the Indian Android app Flash Rupee asking for the permanent account number (PAN) card and the Aadhaar ID card.

Requiring excess app permissions

In addition to the data that users voluntarily fill in as part of the application process, the apps also request an extensive list of device permissions, such as call logs, SMS, installed apps, photos, and contact lists — this last one is key to the harassment campaign that would come later.

Permissions are required by most of the predatory loan apps before the user can submit a loan application. The four screenshots on the left are Android permission requests by the Colombian app Eastbay. The screenshot on the right comes from the Indian iOS app CashG.

To coerce victims into providing these, the apps won’t allow the user to proceed if any of the requests are denied. The operators are actually quite forthcoming about what they ask for and itemize them in the terms and conditions. But upon closer examination, these polices don’t add up.

FairKash, an Android app that used to be on the Kenyan Google Play store, uses generic language in their privacy policies about how contacts, and SMS permissions would be used. For example, it claims that contact lists will only be used to “detect fraudulent loan applications and reduce credit risk.”

In our analysis of network traffic, we observe that many of the apps will begin exfiltrating contact information as soon as the permissions are given. On Android, some apps will also exfiltrate SMS. Contacts, phone history, and SMS messages are particularly desirable to the scam operators as they can be used to publicly shame the victims into repayment. These collection practices are described below.

We found that the iOS app CashG from the Philippines not only asks for permissions to access contact lists, but it is actively exfiltrating that data based on the network evidence we collected.

We found evidence that Colombian Android app EastBay actively exfiltrated SMS data once the user gives it access.

Bait and switch: predatory loan terms

Unlike other common scam schemes, the would-be victims do receive some amount of the loan they apply for — but with huge penalties. Large amounts of fees, as much as one third of the total amount borrowed, according to the New York Times, would be subtracted from the loan distribution. After that, exorbitant interest rates kicks in and the victim would be asked to repay within a matter of days.

Both the Apple App Store and Google Play Store platforms have specific guidelines on acceptable personal loan apps, including a maximum APR of 36% as well as a minimum loan repayment term of greater than 60 days. While all of the loan app listings we encountered are in compliance with app store policies — according to user reviews, social media posts, and reporting by journalists — the terms that are actually paid out are completely different.

Above is an excerpt of the loan terms for Trycash, an iOS app from India, that shows app store policy compliant loan terms that it claims to provide. Below is a user review claiming that they were only given eight days to repay a loan that had a large amount of processing fees.

Harass victims for repayment

Once the victim’s information is exfiltrated by the app and the loan is distributed, the collector then begins cycles of harassment. Sometimes the loan operator would wait until the repayment deadline has passed, but we’ve seen many complaints indicating that harassment occurs before payment is required. This is where the exfiltrated contact information comes in, where anyone, including those that the victim didn’t include in their loan application, would be contacted.

A common tactic is to disclose or threaten to disclose a borrower’s debt or other personal information to their networks of contacts, which often includes family members or friends.

Two Google Play reviews of Android app FlashRupee from India reveals that they were told to pay up even before their loan terms were up or else they would start harassing their phone contacts.

An App Store review for Trycash details harassment of their contacts when their loan was due.

Mobile convenience is a double-edged sword

Mobile apps are a convenient way to interact with businesses, including financial institutions. However, when entrusting them with sensitive personal information it is extremely important to establish that this information is handled responsibly and not used against the user. Some of our most personal data such as text messages, call logs, photos, and videos can be exposed simply by granting a permission requested by the app. Before giving up a permission, users should ask themselves if it makes sense that the permission is needed for the app’s purpose and if they trust the business behind the app with the requested data.

In recent months, certain jurisdictions have started to crack down on loan scams — including Google pulling 2,000 apps from the Indian Play store, which is encouraging. However, in these loan scam schemes, the app only plays the role of luring in the user and collecting information. By itself, the code of the app is not obviously malicious — it is the overall business model that scams the user. This makes the task of identifying these apps challenging and we will likely continue to see them appear globally.

How to protect yourself from loan scams

  • Only apply for loans from established institutions: Before taking out a loan, research the organization that you’re interacting with. Consider the organization’s history, reputation, and registration with relevant national regulatory agencies.
  • Scrutinize the app’s permission requests: Before granting any app permissions, ask yourself whether it actually needs those data to function, especially when they’re seeking access to location, SMS, contacts and files.
  • Install apps from official sources: While malware has at times slipped into official app stores, they do actively vet their apps for anything malicious or suspicious.
  • Read reviews for the apps: Reviews, whether positive or negative, can give you insight into whether an app is safe for you to use.
  • Install dedicated mobile security: By having a dedicated mobile security solution like Lookout Mobile Endpoint Security for enterprises or Lookout Personal Digital Safety for individuals, you’ll be protected against the predatory apps we’ve uncovered along with other mobile threats.

Appendix

Download this PDF for a complete list of the apps Lookout discovered, and the indicators of compromise.

Authors

Ruohan Xiong

Senior Security Intelligence Researcher

Ruohan is a security researcher at Lookout whose work focuses on reverse engineering mobile malware and building threat detections. Prior to Lookout he worked with Citizen Lab, where his research focus was on censorship and information controls on social media platforms. Ruohan has also worked as a threat intelligence analyst at a telecommunications company. Ruohan graduated from the University of Toronto with a bachelor's degree in electrical and computer engineering.

Rono Dasgupta

Senior Security Intelligence Researcher

Rono is a security researcher at Lookout where he reverse engineers mobile malware. Prior to Lookout, he worked at NowSecure as a security analyst and researcher with a focus on automating Android and iOS vulnerability detection. Rono has an MS in Security Informatics from the Johns Hopkins University.

Alina Mambo

Security Intelligence Researcher

Alina is a security researcher at Lookout with a primary focus on reverse engineering mobile malware. Prior to Lookout, she worked as an enterprise software developer for an e-commerce agency. Alina graduated with a bachelor's degree in computer engineering from McGill University in 2018.

Discovered By
Lookout
Platform(s) Affected
iOS
Platform(s) Affected
Android
Entry Type
Threat Summary
Threat Type
Malware
Platform(s) Affected
Lookout
iOS
Android
Threat Summary
Malware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell