
Malicious apps of the SpyLoan family usually disguise themselves as legitimate financial instruments or credit services: users are offered low-interest loans with a quick approval procedure, but the terms of such loans are often very deceptive or patently false. In addition, these apps steal data from victims’ devices, thus, enabling the attackers to engage in predatory lending, blackmail, and extortion.
All SpyLoan apps request excessive privileges on the victim’s device, including access to its camera (allegedly to upload KYC photos), calendar, contacts, SMS, location, sensor data, etc. As a result, operators of such apps can steal sensitive data from infected devices.
Cyfirma researchers discovered in the Google Play Store an app called Finance Simplified that was downloaded more than 100,000 times. The app pretends to be a financial management tool.
According to the experts, in some countries (primarily in India), this app exhibits malicious behavior by stealing data from users’ devices. In addition, Cyfirma discovered a number of other malicious APKs that appear to be part of the same malware campaign: KreditApple, PokketMe, and StashFur.
Even though the app has already been removed from Google Play, it might still run in the background collecting sensitive information from infected devices, including:
- contacts, call logs, SMS messages, and device data;
- photos, videos, and documents from internal and external storages;
- victim’s location (updated every 3 seconds), location history, and IP address;
- the last 20 text messages copied to the clipboard; and
- credit history and SMS messages related to banking transactions.
According to numerous user reviews on Google Play, the Finance Simplified app offers lending services, and then its operators attempt to extort money from borrowers refusing to pay enormous interest rates.

The stolen data are primarily used to blackmail people who have applied for a loan using Finance Simplified, but they can also be used for financial fraud or sold to other cybercriminals.
To avoid detection on Google Play, Finance Simplified used a WebView to redirect users to an external website where they downloaded the loan APK hosted on Amazon EC2. Interestingly, the additional APK was downloaded only if the user was located in India.


2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →