Almost 300 predatory loan apps found in Google and Apple stores
Note to self: Lenders don’t need the contact list on your mobile device
Almost 300 apps, downloaded by around 15 million users, have been pulled from the Google Play and Apple App stores over claims they promised quick loans at reasonable rates but then used extortion and other predatory schemes against borrowers.
The loans came with hidden fees and high interest rates that drove up the payments and the apps asked for sensitive information on their mobile devices. This included SMS messages, photos, phone history and contact lists that was then used against victims, according to researchers with cybersecurity vendor Lookout.
In some instances, the data exfiltrated from the device was used to extort borrowers by threatening to disclose the data or information about the debt to their contacts, the researchers wrote in a report.
In total, more than 251 Android apps were found in the Google Play souk – and collectively, downloaded more than 15 million times – and 35 iOS apps in the Apple Store that were found to be among the top 100 financial apps in regional stores.
Lookout contacted Google and Apple about the apps and said Wednesday that none of them were still available for download.
"what's been identified is a tiny drop in the bucket overall," Chris Clements, vice president of solutions architecture for Cerberus Sentinel, told The Register, adding that "anything over zero shouldn't be acceptable."\
There were almost 4 million apps in the Apple Store and more than 2.6 million in Google Play, according to Statista –
Such predatory lending apps have been a problem before. As we reported earlier this month, India's Home Ministry instructed state governments to come down hard on illegal lending apps that it said led to multiple suicides by borrowers who had been harassed and blackmailed for repayments.
In the first half of the year, Google reportedly removed 2,000 loan apps from its Play Store in India.
Lookout researchers wrote in their report that there were likely dozens of independent operators behind the apps, with only some of them sharing code bases. However, all the apps followed a similar pattern in tricking victims into unfair loan terms and then threatening borrowers for repayments.
They couldn't tell where the scammers were from, but the apps targeted users in developing regions, including Africa, Southeast Asia, India, Colombia, and Mexico. Such countries tend have looser financial regulations and a lack of enforcement, as well as people with lower incomes and easy access to mobile apps.
"The focus on developing countries may also explain why we found more loan scam apps on Android than on iOS," the researchers wrote. "Outside the US, Android is much more popular, with more than 70 percent of the market, partly because of the availability of extremely low-cost Android devices."
After users downloaded the app, they were required to give information typical for such a loan, like name, address, and employment history. However, they also were told to grant permissions to data on the device. Many of the apps began exfiltrating contact information as soon as the permissions are given.
The victims would receive some of the loan they applied for – unlike similar scams – but it would come with fees that amounted to up a third of the amount borrowed. After that, extremely high interest rates were applied and the borrowers were told to repay the loan within days, much of which was contrary to the lending details the load app promised.
"This approach has the advantage of a veil of legitimacy where the perpetrators can hide behind complex and unethical contract terms," Clements said. "This potentially offsets liability, both from potentially convincing victims that the scam is perfectly legal, as well as from authorities who would react very differently from more traditional forms of online fraud."
While a loan app scam can be time- and resource-consuming, "the payoff is more significant with extorting the victims," James McQuiggan, security awareness advocate at KnowBe4, told The Register.
"Similar to the business world, cybercriminals will invest in something if it has a high return for them. With the high-interest rates and extorting the victims, they no doubt wanted to make their money back with the first dozen victims, and then the money started rolling in for them after that." ®