Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

Warning: Malware posing as a financial app on Google Play

Updated
3 min read
Warning: Malware posing as a financial app on Google Play
N
Nguyễn Văn Trung
Part of seriesNewsletters-eng

The malicious app SpyLend on Android has been downloaded over 100,000 times from Google Play. Initially, this app posed as a financial tool, but in reality, it was a loan sharking platform targeting people in need of loans.

Details

This app is part of a group of Android malware called "SpyLoan", which pretends to be legitimate financial tools or loan services but actually steals data from devices to facilitate fraudulent lending activities.

These apps attract users with promises of quick, easy loans with minimal paperwork and attractive terms. However, once installed, they demand excessive permissions, allowing them to steal contacts, call logs, SMS messages, photos, device location, and other personal information.

The collected data is then exploited to harass, extort, and threaten users, especially if they cannot repay the loans under the terms set by the app.

Discovered App

The cybersecurity company CYFIRMA discovered an app called "Finance Simplified", which claimed to be a financial management tool but was actually a spyware app and has attracted 100,000 downloads on Google Play.

According to CYFIRMA, this app steals user data to facilitate fraudulent lending activities. Researchers also discovered other variants of this malware, including KreditApple, PokketMe, and StashFur.

Although the app has been removed from Google Play, it can still run in the background on infected devices and collect sensitive information.

Scam and Extortion Tactics

Many user reviews on Google Play have accused this app of being an illegal lending service that uses extortion tactics to force borrowers to pay high interest rates.

One user stated:
"This app is terrible, lending small amounts but threatening to edit my photos into pornographic content to extort me if I don't pay high interest."

Additionally, these apps claim to be legitimate financial companies (NBFC - Non-Banking Financial Companies), but according to CYFIRMA, this is false information.

Techniques to Evade Google's Censorship

To avoid detection by Google Play, Finance Simplified uses WebView to redirect users to an external website, where they download an APK file containing spyware, hosted on Amazon EC2 servers.

According to CYFIRMA:

  • This app only shows a deceptive interface to users in India, proving it is targeting a specific region.

  • If the device is located in India, the app will display fake loan services.

  • If elsewhere, the interface will not show any malicious signs.

The biggest concern of SpyLend is its ability to collect sensitive personal data from users, including:
🚨 Contacts, call logs, SMS messages, device information.
🚨 Photos, videos, documents from internal and external storage.
🚨 Real-time location tracking (updated every 3 seconds), location history, IP address.
🚨 Clipboard history.
🚨 Loan history and bank transaction messages.

This data is mainly used to extort victims who have borrowed money, but it can also be exploited for financial fraud or sold to cybercriminals.

Overview of SpyLend's operation

Response from Google

On February 25, Google issued a statement:
"The app has been removed from Google Play. Android users are automatically protected from known malware versions through Google Play Protect. Google Play Protect can warn or block apps with malicious signs, even if they are downloaded from external sources."

Recommendations

FPT Threat Intelligence offers the following recommendations:

  • If you suspect your device is infected with this malware, uninstall the app immediately, reset access permissions, change your bank account passwords, and scan your device with security tools.

  • Always keep Google Play Protect enabled to detect and block malicious apps.

  • Carefully review the permissions requested by apps during installation. Limit unnecessary permissions (for example, a financial app should not request access to contacts, photos, or messages). Revoke access for apps you no longer use.

  • Regularly back up data to Google Drive, iCloud, or an external hard drive. Encrypt important data to prevent theft.

References

  1. SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion- https://www.cyfirma.com/research/spylend-the-android-app-available-on-google-play-store-enabling-financial-cyber-crime-extortion/

  2. SpyLend Android malware downloaded 100,000 times from Google Play- https://www.bleepingcomputer.com/news/security/spylend-android-malware-downloaded-100-000-times-from-google-play/

#chplay#android#spylend#trojan

Comments

Join the discussion

No comments yet. Be the first to comment.

Newsletters-eng

Part 1 of 50

More from this blog

F

FPT IS Security

761 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.