SpyLoan

SpyLoan is an Android malware/riskware family embedded in predatory loan applications, including apps distributed through Google Play, that masquerade as quick-loan or low-friction lending services. It has been active since at least 2020 and has been described as a repeat offender. The apps use social engineering to lure users with promises such as fast cash, low-interest loans, and minimal checks, and in some cases were also promoted via Facebook posts. Once installed, SpyLoan apps request intrusive permissions and harvest extensive victim data, including contacts, SMS messages, call logs, device identifiers and system information, coarse location, camera access, identification documents, bank account details, employment information, and personal photos. Reported behavior includes validating victims with one-time-password checks tied to targeted regions and exfiltrating stolen data to command-and-control servers, with some reporting noting AES-128 encryption and shared exfiltration/C2 frameworks across samples. The stolen information is used for harassment, extortion, inflated repayment demands, identity abuse, and surveillance. Reported targets span users in Latin America, Africa, and Asia, including Mexico, Colombia, Senegal, Thailand, Indonesia, Vietnam, Tanzania, Peru, and Chile. Multiple reports tie SpyLoan to surveillance, extortion, and identity theft, and Kaspersky classified it among frequently seen Android RiskTool apps while Zscaler identified it as a major driver of a year-over-year rise in Android spyware activity. Check Point also reported SpyLoan extortion malware in a Google Play app named RapiPlata. McAfee documented 15 SpyLoan-infected Android apps on Google Play with more than 8 million combined downloads, and ESET previously reported another set of 18 SpyLoan apps stealing personal and financial data. Shared code and infrastructure suggest either a common developer or a reusable criminal framework used by multiple operators.