Researchers at Lookout have discovered close to 300 mobile loan applications on Google Play and the Apple App Store that exhibit predatory behavior such as exfiltrating excessive user data from mobile devices and harassing borrowers for repayment.
These apps, which were found in Southeast Asian and African countries, as well as India, Colombia, and Mexico, purportedly offer quick, fully-digital loan approvals with reasonable loan terms. In reality, they exploit victims’ desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages.
In addition to predatory requests for excessive permissions, many of the loan operators display scam-like actions. A number of users have reported that their loans come with hidden fees, high interest rates, and repayment terms that are much less favorable than what is posted on the app stores. We also found evidence that the data exfiltrated from devices are sometimes used to pressure for repayment, either by harassing the customers themselves or their contacts.
In total, we uncovered 251 Android apps on the Google Play store with over 15 million collective downloads. We also identified 35 apps on the Apple App Store that were in the top 100 finance apps in their regional stores. Lookout has been in contact with Google and Apple about these apps and at the time of publishing, none of them are available for download.
Based on our analysis, there are likely dozens of independent operators involved, as we only found shared code bases between small batches of apps. With that said, all the apps have a very similar business model, which is to trick victims into unfair loan terms and threaten them to pay.
High concentration of loan scams in developing countries
All the predatory loan apps were found in developing countries. Specifically, we identified apps targeting users in Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda. While we don’t have evidence of where the scam operators reside, it's clear that these regions were identified to be lucrative.
Based on the low review scores of most of the apps, the loan operators don't seem to be afraid of getting caught and find the reputation of the individual apps to be disposable. This may partially be the result of looser financial regulations or lack of enforcement.
Another factor that these apps are found in developing countries may be the relative ease of access to mobile apps compared to traditional financial services, especially for those that have a lower income. In one instance reported by TechCrunch, a victim decided to use a loan app because their income doesn’t qualify them for a traditional loan. According to the World Bank, 1.4 billion people globally don’t have a bank account, while only 800 million don’t have access to a mobile phone. In the Philippines, for example, only 51% of the population has a bank account compared to 92% that has access to a mobile device.
The focus on developing countries may also explain why we found more loan scam apps on Android than on iOS. Outside the U.S. Android is much more popular, with more than 70% of the market, partly because of the availability of extremely low-cost Android devices.
How do loan scam apps work?
The loan scam apps on both Android and iOS rely on users to provide personal information as part of the loan application process. However, they also require the user to grant permissions to access information on the device that clearly go beyond what a typical loan application would require.
Here’s a breakdown of the “modus operandi” of these predatory loan apps.
Filling out the loan application
The scam starts out quite innocuous, with the user downloading the app from Google Play or the App Store. They are then prompted to fill out an application, which asks for the applicant’s name, address, employment history, education, and banking information — all the typical data that a legitimate institution would request.
Most of the apps also ask for something that has become quite common: ID verification with a video selfie. While this is a process that many legitimate apps also use, we assess that the loan scam apps expose users to significantly higher risks.
Requiring excess app permissions
In addition to the data that users voluntarily fill in as part of the application process, the apps also request an extensive list of device permissions, such as call logs, SMS, installed apps, photos, and contact lists — this last one is key to the harassment campaign that would come later.
To coerce victims into providing these, the apps won’t allow the user to proceed if any of the requests are denied. The operators are actually quite forthcoming about what they ask for and itemize them in the terms and conditions. But upon closer examination, these polices don’t add up.
In our analysis of network traffic, we observe that many of the apps will begin exfiltrating contact information as soon as the permissions are given. On Android, some apps will also exfiltrate SMS. Contacts, phone history, and SMS messages are particularly desirable to the scam operators as they can be used to publicly shame the victims into repayment. These collection practices are described below.
Bait and switch: predatory loan terms
Unlike other common scam schemes, the would-be victims do receive some amount of the loan they apply for — but with huge penalties. Large amounts of fees, as much as one third of the total amount borrowed, according to the New York Times, would be subtracted from the loan distribution. After that, exorbitant interest rates kicks in and the victim would be asked to repay within a matter of days.
Both the Apple App Store and Google Play Store platforms have specific guidelines on acceptable personal loan apps, including a maximum APR of 36% as well as a minimum loan repayment term of greater than 60 days. While all of the loan app listings we encountered are in compliance with app store policies — according to user reviews, social media posts, and reporting by journalists — the terms that are actually paid out are completely different.
Harass victims for repayment
Once the victim’s information is exfiltrated by the app and the loan is distributed, the collector then begins cycles of harassment. Sometimes the loan operator would wait until the repayment deadline has passed, but we’ve seen many complaints indicating that harassment occurs before payment is required. This is where the exfiltrated contact information comes in, where anyone, including those that the victim didn’t include in their loan application, would be contacted.
A common tactic is to disclose or threaten to disclose a borrower’s debt or other personal information to their networks of contacts, which often includes family members or friends.
Mobile convenience is a double-edged sword
Mobile apps are a convenient way to interact with businesses, including financial institutions. However, when entrusting them with sensitive personal information it is extremely important to establish that this information is handled responsibly and not used against the user. Some of our most personal data such as text messages, call logs, photos, and videos can be exposed simply by granting a permission requested by the app. Before giving up a permission, users should ask themselves if it makes sense that the permission is needed for the app’s purpose and if they trust the business behind the app with the requested data.
In recent months, certain jurisdictions have started to crack down on loan scams — including Google pulling 2,000 apps from the Indian Play store, which is encouraging. However, in these loan scam schemes, the app only plays the role of luring in the user and collecting information. By itself, the code of the app is not obviously malicious — it is the overall business model that scams the user. This makes the task of identifying these apps challenging and we will likely continue to see them appear globally.
How to protect yourself from loan scams
- Only apply for loans from established institutions: Before taking out a loan, research the organization that you’re interacting with. Consider the organization’s history, reputation, and registration with relevant national regulatory agencies.
- Scrutinize the app’s permission requests: Before granting any app permissions, ask yourself whether it actually needs those data to function, especially when they’re seeking access to location, SMS, contacts and files.
- Install apps from official sources: While malware has at times slipped into official app stores, they do actively vet their apps for anything malicious or suspicious.
- Read reviews for the apps: Reviews, whether positive or negative, can give you insight into whether an app is safe for you to use.
- Install dedicated mobile security: By having a dedicated mobile security solution like Lookout Mobile Endpoint Security for enterprises or Lookout Personal Digital Safety for individuals, you’ll be protected against the predatory apps we’ve uncovered along with other mobile threats.
Download this PDF for a complete list of the apps Lookout discovered, and the indicators of compromise.