Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers.
To fuel the operation’s extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans.
In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda.
Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them.
Predatory loan apps
These loan apps found great success in developing countries where people have limited financial opportunities and where reports of fraud are less likely to be prosecuted.
When installed, the predatory loan apps requested users grant risky permissions that enabled the threat actors to access sensitive information on the device, such as the contact list, SMS content, photos, media, etc.
Risky permissions requested upon installation (Lookout)
As soon as the permissions are given, the apps immediately begin to upload sensitive data from the device to their own servers.
Data exfiltration requests (Lookout)
If the user doesn’t approve these permission requests, the app will not allow them to submit loan requests.
On the first launch, and permissions are granted, the user is requested to fill out a KYC (Know Your Customer) form, requesting photographs of government ID cards, etc.
KYC forms in the loan apps (Lookout)
Next, the apps offer users deceiving or straight-out false loan terms so they are convinced to move forward.
When the victims receive part of their loan, the interest rate terms change, or previously hidden fees emerge, sometimes reaching up to one-third of the total amount borrowed.
Some users also report that the apps reduced the repayment period from a promised 180 days to only eight days, imposing hefty interest and penalty fees when overdue.
Scammed user comments (Lookout)
With most people surprised and unable or unwilling to repay the loans, the app operators begin to harass them using the data stolen in the first stage, contacting people from the device’s list and disclosing the debt to family and friends.
Some scammed users even report the lenders sent edited images stolen from the device to contacts, causing great distress.
Apple and Google intervene
Apple and Google allow micro-loan apps on their app stores but have stringent policies regulating their operation.
The guidelines dictate that the minimum repayment period should be 60 days, and the maximum annual percentage rate of charge should be 36%.
The above apps claimed terms that complied with these guidelines, but in practice, they followed a very different, much more aggressive approach, so the app stores removed them for term violations.
Unfortunately, there need to be more checks to prevent the operators of these apps from re-submit these types of apps to the app stores under different names, so users should be vigilant.
If you’re interested in using a mobile loan app, read user reviews first, research the lender’s reputation, and carefully consider the permission requests upon installation.