Deceptive loan apps are stealing data from millions

6 Dec 2023

Image: © Bro Vector/

ESET Research claims various apps are offering loan services in order to steal data, which is then used to harass and blackmail victims into giving funds.

A new report claims there has been an “alarming” rise in apps that present themselves as personal loan services, but are actually used to collect personal and financial data from victims.

The report from ESET Research claims these apps use the stolen data to blackmail their victims and steal funds as a result, while promising quick and easy access to loan services.

The report shows the number of deceptive loan apps has been growing across unofficial third-party app stores, Google Play and on various websites since the beginning of 2023. The researchers refer to these types of apps as ‘SpyLoan’, due to their combination of spyware and their claims of offering loans.

ESET said it identified 18 SpyLoan apps and reported them to Google, which removed 17 from their platform.

“Before their removal, these apps had a total of more than 12m downloads from Google Play,” the report said. “None of these services provide an option to request a loan using a website, since through a browser the extortionists can’t access all sensitive user data that is stored on a smartphone and is needed for blackmailing.”

The victims of these particular apps are located in various regions including Mexico, Southern America, India and parts of Asia.

“At the time of writing, we haven’t seen an active campaign targeting European countries, the USA, or Canada,” ESET Research said.

Harassing victims

ESET claims the criminals behind these apps lure their victims by promoting the malicious apps with SMS messages and on “popular social media channels” such as X, Facebook and YouTube. After a user accepts the terms of service, the app stealthily extracts sensitive data from the user’s device.

The stolen data includes accounts, call logs, calendar events, device information, lists of installed apps, network information, contact lists, location data and SMS messages. This data is all sent back to command and control servers of the perpetrators, who then use it to harass and blackmail victims into making payments.

ESET said that even users that didn’t apply for a loan or weren’t approved for a loan were still harassed and blackmailed by these deceptive loan apps, according to some reviews seen by the researchers.

“As SpyLoan apps evolved, their malicious code became more sophisticated,” the report said. “In earlier versions, the malware’s harmful functionality wasn’t hidden or protected.

“However, later versions incorporated some more advanced techniques like code obfuscation, encrypted strings and encrypted [command and control] communication to hide their malicious activities.”

Recently, a report from the US Federal Trade Commission claimed scammers on social media platforms have stolen $2.7bn from people in the US since 2021, which was more than “any other contact method”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic