Jump to content
  • Android and iOS apps with 15 million installs extort loan seekers

    alf9872000

    • 365 views
    • 3 minutes
     Share


    • 365 views
    • 3 minutes

    Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers.

     

    To fuel the operation's extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans.

     

    In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda.

     

    Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them.

    Predatory loan apps

    These loan apps found great success in developing countries where people have limited financial opportunities and where reports of fraud are less likely to be prosecuted.

     

    When installed, the predatory loan apps requested users grant risky permissions that enabled the threat actors to access sensitive information on the device, such as the contact list, SMS content, photos, media, etc.

     

    permissions(5).png

    Risky permissions requested upon installation (Lookout)

     

    As soon as the permissions are given, the apps immediately begin to upload sensitive data from the device to their own servers.

     

    exfiltration.png

    Data exfiltration requests (Lookout)

     

    If the user doesn’t approve these permission requests, the app will not allow them to submit loan requests.

     

    On the first launch, and permissions are granted, the user is requested to fill out a KYC (Know Your Customer) form, requesting photographs of government ID cards, etc.

     

    kyc.png

    KYC forms in the loan apps (Lookout)

     

    Next, the apps offer users deceiving or straight-out false loan terms so they are convinced to move forward.

     

    When the victims receive part of their loan, the interest rate terms change, or previously hidden fees emerge, sometimes reaching up to one-third of the total amount borrowed.

     

    Some users also report that the apps reduced the repayment period from a promised 180 days to only eight days, imposing hefty interest and penalty fees when overdue.

     

    comments.png

    Scammed user comments (Lookout)

     

    With most people surprised and unable or unwilling to repay the loans, the app operators begin to harass them using the data stolen in the first stage, contacting people from the device's list and disclosing the debt to family and friends.

     

    Some scammed users even report the lenders sent edited images stolen from the device to contacts, causing great distress.

    Apple and Google intervene

    Apple and Google allow micro-loan apps on their app stores but have stringent policies regulating their operation.

     

    The guidelines dictate that the minimum repayment period should be 60 days, and the maximum annual percentage rate of charge should be 36%.

     

    The above apps claimed terms that complied with these guidelines, but in practice, they followed a very different, much more aggressive approach, so the app stores removed them for term violations.

     

    Unfortunately, there need to be more checks to prevent the operators of these apps from re-submit these types of apps to the app stores under different names, so users should be vigilant.

     

    If you're interested in using a mobile loan app, read user reviews first, research the lender's reputation, and carefully consider the permission requests upon installation.

     
    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...