- 3,002
- 280
- 1,730
Cyfirma analysts have discovered that an Android malware called SpyLend has infiltrated the official Google Play store and has been downloaded more than 100,000 times. The malware was disguised as a financial instrument and was used in India to issue loans under the SpyLoan scheme.
SpyLoan-type malware usually disguises itself as legitimate financial instruments or lending services, where users are offered loans with quick approval, but the terms of such loans are often very deceptive or simply false. In addition, the apps steal data from the victims' devices in order to later use it for blackmail and so-called "predatory lending".
In addition, SpyLoan apps always request excessive privileges on the device, including: permission to use the camera (supposedly to upload KYC photos), access to the calendar, contacts, SMS, location, sensor data, and so on. As a result, the operators of such apps can steal sensitive data from the device and use it for blackmail, for example, to force the victim to pay.
Researchers from Cyfirma discovered the Finance Simplified app in the official store, which has been downloaded more than 100,000 times and is supposedly a tool for managing finances.
According to the experts, in some countries (for example, in the already mentioned India), the app exhibits malicious behavior and steals data from users' devices. In addition, other malicious APKs were discovered that appear to be variations of the same malware campaign: KreditApple, PokketMe, and StashFur.
Although the app has already been removed from Google Play, it can continue to run in the background, collecting sensitive information from infected devices, including:
While the data listed above was primarily used to extort money from people who took the risk of taking out a loan through Finance Simplified, it can also be used for financial fraud or resold to cybercriminals.
To avoid detection on Google Play, Finance Simplified used a WebView to redirect users to an external site from where they downloaded the APK for loans hosted on Amazon EC2. However, it is noted that the app only proceeded to download the additional APK if the user was located in India. @ xakep.ru
SpyLoan-type malware usually disguises itself as legitimate financial instruments or lending services, where users are offered loans with quick approval, but the terms of such loans are often very deceptive or simply false. In addition, the apps steal data from the victims' devices in order to later use it for blackmail and so-called "predatory lending".
In addition, SpyLoan apps always request excessive privileges on the device, including: permission to use the camera (supposedly to upload KYC photos), access to the calendar, contacts, SMS, location, sensor data, and so on. As a result, the operators of such apps can steal sensitive data from the device and use it for blackmail, for example, to force the victim to pay.
Researchers from Cyfirma discovered the Finance Simplified app in the official store, which has been downloaded more than 100,000 times and is supposedly a tool for managing finances.
According to the experts, in some countries (for example, in the already mentioned India), the app exhibits malicious behavior and steals data from users' devices. In addition, other malicious APKs were discovered that appear to be variations of the same malware campaign: KreditApple, PokketMe, and StashFur.
Although the app has already been removed from Google Play, it can continue to run in the background, collecting sensitive information from infected devices, including:
- contacts, call logs, SMS messages and device data;
- photos, videos and documents from internal and external storage;
- Victim's real-time location (updated every 3 seconds), location history and IP address;
- the last 20 text entries copied to the clipboard;
- credit history and SMS messages about banking transactions.
While the data listed above was primarily used to extort money from people who took the risk of taking out a loan through Finance Simplified, it can also be used for financial fraud or resold to cybercriminals.
To avoid detection on Google Play, Finance Simplified used a WebView to redirect users to an external site from where they downloaded the APK for loans hosted on Amazon EC2. However, it is noted that the app only proceeded to download the additional APK if the user was located in India. @ xakep.ru