Researchers at cybersecurity company Lookout Inc. have discovered more than 300 loan apps that exhibit predatory behavior, such as exfiltrating excessive user data and harassing borrowers for payment in both Google Play and the Apple App Store.
Found in Africa, Southeast Asia, India, Colombia and Mexico, the apps purportedly offer quick, fully digital loan approvals with reasonable loan terms. However, all is not as it seems, and the apps exploit potential victims’ desire for quick cash to ensnare them into predatory loan contracts.
As part of obtaining a loan through the apps, borrowers are required to grant access to sensitive information on their devices, such as contacts, phone history and SMS messages — information that would not be necessary for a valid loan application process.
In addition to gaining access to data irrelevant to the loan, many predatory loan operators are described as displaying “scam-like” actions. Victims of the apps have reported that the loans came with hidden fees, high interest rates and repayment terms that were much less favorable than what were posted on the app stores.
The Lookout Threat Lab researchers also found evidence that the data exfiltrated from devices is sometimes used to pressure the customer for repayment. Although the researchers don’t use the term extortion, a common tactic by those behind the apps is to threaten to disclose a borrower’s debt or other personal information to their network of contacts if the inflated loan payments are not made.
Of the apps discovered, 251 were Android apps listed in Google Play — no great surprise there — but 35 were also found in the Apple App Store. Of those listed for iOS users, the apps were found in the top 100 finance apps in regional stores, meaning that Apple Inc. was unwittingly promoting them.
The researchers reached out to both Google and Apple before going public with their findings. To their credit, both acted immediately to remove the apps from their respective stores.
“Mobile apps have made managing our lives a lot easier and are a convenient way to interact with businesses such as financial institutions,” explained Ruohan Xiong, a senior security intelligence researcher at Lookout. “However, when entrusting any app with sensitive personal information, it is extremely important to stop and ask yourself if the information being requested makes sense and if the business behind the app is a trusted entity.
Xiong added that “as these predatory loan apps have demonstrated, app permissions could easily be abused if users are not careful. While there are likely dozens of independent operators involved, all of these loan apps have a very similar business model – to trick victims into unfair loan terms and then extort payment.”