Lookout found more than 280 microloan apps on the Google Play Store and App Store that extorted money from users.
In these applications, users could take out a loan, but in reality, the applications collected personal data from the phones of the victims, and then changed the interest rates and blackmailed the borrowers.Let me remind you that we also wrote that SharkBot and Vultur Trojans Spread through Some Apps on the Google Play Store, and also that Child helped to detect malware in the App Store and Google Play, downloaded over 2.4 million times.
Analysts say that they found 251 loan applications for Android and 35 for iOS in official stores. In total, they have been downloaded about 15 million times, and mainly target users from India, Colombia, Mexico, Nigeria, Thailand, the Philippines and Uganda.
It is noted that such loan applications have been very successful in developing countries, where people have limited financial resources, and reports of fraud are unlikely to be noticed.
When installed, such applications asked users for a lot of dangerous permissions, which allowed attackers to gain full access to confidential information on the victim’s device, including the contact list, the contents of SMS messages, photos, multimedia, and so on.
Once the required permissions were obtained, the applications would download this sensitive data from the victim’s device to their own servers. If the user did not provide the scammers with the necessary permissions, he could not send a request for a loan.
At the first launch, the user was also prompted to fill out a KYC (Know Your Customer) form, where they were asked for a photo of an identity card, document numbers, and so on.
According to the researchers, the applications showed the victims misleading or outright false loan conditions, by any means convincing the user to continue. As a result, when a person already received part of his loan, the interest rate suddenly changed or previously hidden fees arose, sometimes amounting to more than one third of the total loan amount.
Some of those affected also reported that the apps unexpectedly shortened the loan repayment period from the promised 180 days to just 8 days, while charging huge interest and penalties in case of delay.
Since most of the victims were not prepared for such drastic changes in conditions, they could not or refused to repay their loans. After that, the app operators began to blackmail and harass them using the data stolen in the first stage of the attack, for example, contacting people from the contact list, informing family members and friends about the debt.
Some users say that the scammers even sent edited images stolen from their devices to various contacts, which eventually caused major troubles (for example, the so-called sextortion).
It must be said that Apple and Google allow micro-loan apps in their official stores, but the companies have strict rules governing their operation. Thus, the minimum loan repayment period should be 60 days, and the maximum annual interest rate is limited to 36%.
The apps discovered by the researchers claimed to follow these recommendations, but in practice they did not follow them at all, therefore, all of them are currently removed from the Google Play Store and the App Store.
