Popular Android financial help app is actually dangerous malware

(Image credit: Shutterstock / ImYanis)

Researchers found a predatory loans app hiding as a financial management application
Android app apeared to exclusively target Indian users
It was removed from the Play Store

Cybersecurity researchers have found a SpyLoan app in Google Play targeting Indian consumers with some 100,000 downloads, before being pulled from the app store.

Predatory loan apps have a simple modus operandi: they advertise as quick and easy loan apps, offering fast loans with little to no paperwork. When the victim installs the app, though, it demands excessive permissions, accessing people’s messages and call logs, contacts, photos, and more.

After taking a loan, the app then asks for high interest rates, starts harassing the victim, and threatens to release sensitive photos (sometimes even fake, edited photos, too).

Bypassing security mechanisms with WebView

In this case, cybersecurity researchers from CYFIRMA found an app called Finance Simplified, which allegedly had 100,000 downloads on Google Play before being pulled down. This app pretended to be a financial management application, and while it worked more-or-less as intended around the world, it behaved differently for users located in India.

Before the app was pulled, BleepingComputer managed to read some of the reviews. "Very very very bad app they given low loan amount nd black mail to pay High otherwise photoes edited as a nude nd black mailing," one review read. CYFIRMA also said the app was advertised as a registered non-banking financial company, which was an outright lie.

Google is usually quite good at spotting malware in its repository, which begs the question - how did Finance Simplified make it through? Apparently, it loaded a WebView to redirect users to an external website, from where they downloaded a loan app APK hosted on an Amazon EC2 server.

"The Finance Simplified app appears to target Indian users specifically by displaying and recommending loan applications, loading a WebView that shows a loan service that redirects to an external website where a separate loan APK file is downloaded," CYFIRMA said.

After the news broke, a Google spokesperson said the app was removed from Google Play, and added that Android users are “automatically protected” against known versions of this malware by Google Play Protect. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” the spokesperson told BleepingComputer.

These dangerous Android malware apps have been installed millions of times
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.