More than 280 Android and iOS apps on Google Play and Apple app stores tricked users into loan schemes with misleading terms and used various methods to extort and harass borrowers.

To fuel the operation’s extortion attempts, the apps stole excessive amounts of data from mobile phones that are not usually required to offer loans.

In a new report from cybersecurity firm Lookout, researchers discovered 251 Android 35 iOS lending apps that were downloaded a total of 15 million times, mostly by users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines and Uganda.

Lookout flagged them all to Google and Apple for removal and managed to remove them all.

Predatory lending applications

These loan apps have seen great success in developing countries where people have limited financial opportunities and reports of fraud are less likely to be prosecuted.

Once installed, the predatory loan apps asked users to grant risky permissions allowing threat actors to access sensitive information on the device, such as contact list, SMS content, photos, the media, etc.

Risky permissions requested during installation
Risky permissions requested during installation (Look for)

As soon as permissions are granted, apps immediately start uploading sensitive data from the device to their own servers.

Data exfiltration requests
Data exfiltration requests (Look for)

If the user does not approve these permission requests, the app will not allow them to submit loan requests.

On first launch, and permissions are granted, the user is prompted to complete a KYC (Know your customer) form, requesting photographs of government ID cards, etc.

KYC forms in loan applications
KYC forms in loan applications (Look for)

Then the apps offer users deceptive or outright false loan terms in order to convince them to go ahead.

When victims receive part of their loan, interest rate terms change or previously hidden fees appear, sometimes reaching up to a third of the total amount borrowed.

Some users also report that the apps have reduced the promised 180-day refund period to just eight days, imposing high interest and penalties for delays.

Fraudulent user reviews
Fraudulent user reviews (Look for)

Most of the people being surprised and unable or unwilling to repay the loans, the app operators start harassing them using the stolen data in the first stage, contacting the people on the device list and disclosing the debt to family and friends.

Some scammed users even report that lenders have sent stolen altered images of the device to contacts causing great distress.

Apple and Google step in

Apple and Google allow micro-lending apps on their app stores, but have strict policies governing how they operate.

The guidelines state that the minimum repayment period should be 60 days and the maximum annual percentage rate should be 36%.

The apps above claimed terms that complied with these guidelines, but in practice they took a very different and much more aggressive approach, so app stores took them down for violating the terms.

Unfortunately, there need to be more controls to prevent the operators of these apps from resubmitting these types of apps to app stores under different names, so users need to be vigilant.

If you want to use a mobile lending app, read user reviews first, research the reputation of the lender, and carefully consider permission requests during installation.



Source link