{"id":28593,"date":"2024-12-04T12:52:00","date_gmt":"2024-12-04T12:52:00","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=28593"},"modified":"2024-12-04T12:52:00","modified_gmt":"2024-12-04T12:52:00","slug":"spyloan-malware-google-play-store","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/spyloan-malware-google-play-store\/","title":{"rendered":"SpyLoan Virus Found in Loan Apps on Google Play Store"},"content":{"rendered":"

Experts reported the discovery of a new set of 15 malicious mobile apps in the Google Play store<\/strong> that contain the SpyLoan Android malware inside. In total, these apps have been downloaded and installed by users more than 8 million times, potentially leading to huge money losses.<\/p>\n

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play<\/h2>\n

Researchers have found a series of malicious apps<\/a> on the Google Play Store. Collectively, these programs have been installed over 8 million times<\/strong>. These apps pose as quick-loan services, exploiting users\u2019 need for money under the guise of financial assistance. Instead of what they state, these fake loan apps collect sensitive data and further intimidate victims.<\/p>\n

The malware identified in the majority of these samples is SpyLoan<\/strong>. Initially detected in 2020, it has resurfaced with updated tactics, with another noteworthy appearance in 2023. It now targets users in countries such as Mexico, Colombia, Thailand, and Tanzania.<\/p>\n

\"SpyLoan
Examples of SpyLoan apps recently distributed on Google Play (source: McAfee)<\/figcaption><\/figure>\n

As the name implies, SpyLoan mainly hides under the guise of loan-related apps. Its goal is to \u0441ollect sensitive user data, exploit permissions to access phone features and coerce users through intimidation or extortion. The user may get the loan, but will also get phishing phone calls, SMS messages and emails, all with the potential of financial damage and psychological abuse.<\/p>\n

How the Malware Operates<\/h2>\n

SpyLoan malware operates by tricking users into sharing personal and financial information. The apps use social engineering tactics<\/a> to request extensive permissions, such as access to contacts, call logs, SMS, and device location.<\/p>\n

Although these permissions are justified as part of anti-fraud measures, in reality, they enable the malware to harvest data from the device. Once collected, the data is encrypted using AES-128 and sent to a command server. This encryption stage, although employing a pretty weak algorithm, makes it hard to parse the data transfer and recognize it as malicious.<\/p>\n

Victims are lured into these apps with promises of fast and easy loans, targeting regions such as Mexico, Colombia, Thailand, and Tanzania. However, instead of providing legitimate financial services, users see high interest rates and huge penalties<\/strong> for payment delays.<\/p>\n

Moreover, cybercriminals start threatening victims with time<\/strong>; threats involving their personal data and photos, most likely stolen through the SpyLoan functionality. This malicious cycle traps users in debt while violating their privacy. The malicious apps, targeting regions across South America, Africa, and Southeast Asia, include:<\/p>\n