
Malicious apps of the SpyLoan family usually disguise themselves as legitimate financial instruments or credit services: users are offered low-interest loans with a quick approval procedure, but the terms of such loans are often very deceptive or patently false. In addition, these apps steal data from victims’ devices, thus, enabling the attackers to engage in predatory lending, blackmail, and extortion.
All SpyLoan apps request excessive privileges on the victim’s device, including access to its camera (allegedly to upload KYC photos), calendar, contacts, SMS, location, sensor data, etc. As a result, operators of such apps can steal sensitive data from infected devices.
Cyfirma researchers discovered in the Google Play Store an app called Finance Simplified that was downloaded more than 100,000 times. The app pretends to be a financial management tool.
According to the experts, in some countries (primarily in India), this app exhibits malicious behavior by stealing data from users’ devices. In addition, Cyfirma discovered a number of other malicious APKs that appear to be part of the same malware campaign: KreditApple, PokketMe, and StashFur.
Even though the app has already been removed from Google Play, it might still run in the background collecting sensitive information from infected devices, including:
- contacts, call logs, SMS messages, and device data;
- photos, videos, and documents from internal and external storages;
- victim’s location (updated every 3 seconds), location history, and IP address;
- the last 20 text messages copied to the clipboard; and
- credit history and SMS messages related to banking transactions.
According to numerous user reviews on Google Play, the Finance Simplified app offers lending services, and then its operators attempt to extort money from borrowers refusing to pay enormous interest rates.

The stolen data are primarily used to blackmail people who have applied for a loan using Finance Simplified, but they can also be used for financial fraud or sold to other cybercriminals.
To avoid detection on Google Play, Finance Simplified used a WebView to redirect users to an external website where they downloaded the loan APK hosted on Amazon EC2. Interestingly, the additional APK was downloaded only if the user was located in India.


2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →