Security Researchers found 18 deceptive Android loan apps that disguised themselves as genuine personal loan services. Google has removed 17 of these apps, targeting users in India and other countries, from their platform.

According to the report by ESET Research, these apps had more than 12 million downloads globally from Google Play before their removal.

Such deceptive Android loan apps are called ‘SpyLoan apps’.

“These malicious applications exploit the trust that users place in legitimate loan providers, using sophisticated techniques to deceive people and steal a very wide range of personal information,” said ESET researcher Lukas Stefanko, who uncovered many of the SpyLoan apps.

According to the report, the originators of these apps, who blackmail and harass their victims, even with death threats, operate mainly in Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, the Philippines, Egypt, Kenya, Nigeria, and Singapore.

Buy Me A Coffee

Other than data harvesting and blackmail, these services present a form of modern-day digital usury, which refers to the charging of excessive interest rates on loans, taking advantage of vulnerable individuals.

The total annual cost (TAC) of such loans, according to victims of these applications, is significantly more than stated, and the loan period is much shorter than stated.

In some cases, borrowers were pressured to pay off their loans in five days, instead of the stated 91 days, and the TAC of a loan was anywhere between 160 percent and 340 percent, the report mentioned.

Google Fi Introduces "Number Lock" Feature to Combat SIM Swapping Attacks

The researchers have traced the origins of the SpyLoan scheme back to 2020.

When a SpyLoan app is installed, the user is required to agree on the terms of service and provide extensive permissions to access sensitive data saved on the device.

According to the privacy policies of these apps, if those permissions are not granted, the loan will not be provided. To complete the loan application process, users are also compelled to provide extensive personal information, the report noted.