Malicious Loan App Harvesting User Data Was Removed from the Google Play Store

• Google Play Store removed a malicious app named Finance Simplified that collected user data.
• The app pretended to offer users appealing loan terms with minimal restrictions.
• Yet, it accessed contact lists, call logs, text messages, photos, and location information.

A malicious app disguised as a financial management tool has been removed from the Google Play Store after being downloaded over 100,000 times. The app, Finance Simplified, was identified as belonging to the SpyLoan family, notorious for deceitful lending practices and data theft.  

The app posed as a financial solution offering users appealing loan terms with minimal restrictions. However, once installed, it gained access to sensitive user data, including contact lists, call logs, text messages, photos, and location information. 

This stolen data was used to blackmail users, especially those who failed to meet repayment terms.  

While Google has implemented robust security measures, such as AI threat detection and real-time scanning, "Finance Simplified" circumvented these defenses. 

It cleverly redirected users to an external website via a WebView to download a separate loan application file (APK) from an Amazon EC2 server. 

A malicious domain injects JavaScript into the app to show a list of additional loan apps, and the app’s WebView “Upgrade Now” section allows for the dynamic injection of potentially harmful code in the background.

One of the apps, KreditApple, could surveil the user and capture images without authorization due to requesting sensitive runtime permissions, including access to the camera, location, and external storage.

The app primarily targeted users in India, promoting seemingly legitimate loan options. Experts warn that while the app has been removed from the Play Store, it may still run in the background on previously affected devices, continuing to collect sensitive information.  

To safeguard your data and minimize risks if you've installed such an app, cybersecurity experts recommend changing all passwords, enabling two-factor authentication (2FA), avoiding storing card details online, and using identity monitoring services.