Rogue Loan App with 12M Downloads Blackmailed Users

Google has removed more than a dozen Android apps which offered loans to desperate users, but were actually a scam involving fraud and blackmail. As usual with such removals, it only affects the Play Store and the apps are not automatically deleted from phones.

The 18 apps in question have been collectively dubbed SpyLoan, and have more than 12 million combined downloads from Google Play this year. They were listed in a variety of language with English variants including Cashwow, 4S Cash and EasyCash.

The main target audience appears to be people in countries with a large population and a wide range of economic prosperity such as India, Mexico and Thailand. The apps offer personal loans with high rates of interest but imply relaxed approval processes.

'Repayment' Blackmail

Once the app is installed and the supposed loan "approved", the scammers take advantage of a host of phone permissions to collect personal data. They then demand the user start make repayments at a rapidly accelerated schedule, even before receiving the loan (which of course never arrives).

The scammers then blackmail the users into making the supposed repayments by threatening to expose the personal data. This includes both information scraped from the victim's phone and sensitive information provided in the "loan application" including full name, address and bank account details. (Source: thehackernews.com)

While the app is obviously a scam when described this way, the creators have taken steps to make the various elements plausible both to users and Google. For example, it asks for permission to access the camera and photo uploads for a government-mandated identity check. It also asks to access the calendar app to provide scheduled payment reminders. (Source: bleepingcomputer.com)

Apps Withdrawn

The apps have raised serious questions about Google's app verification process for the Google Play store. On paper they appear to comply with rules such as having a privacy policy, but it appears they often link to bogus websites set up to resemble those of legitimate financial companies.

Google has now withdrawn 17 of the 18 apps from the Play Store following a report by security company ESET. The one remaining app is still in the store but with different functions and permission requests, meaning it's no longer officially classed as a SpyLoan variant.

As is its policy, Google won't forcefully remove the apps from devices where they are already installed by the user. Instead, users will have to remove the apps themselves, assuming they read about the threat in media reports.

What's Your Opinion?

Do you take extra care when choosing and using financial steps? Is it practical for Google to do more to vet apps before adding them to the Play Store? Should Google automatically delete apps from phones when it removes them from the Play Store?