More than 100,000 users downloaded SpyLend malware from Google Play Store

📟 News

Date: 25/02/2025

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there more than 100,000 times. The malware known as SpyLoan (i.e. predatory loan app) was disguised as the legitimate Finance Simplified app used to apply for loans in India.

Malicious apps of the SpyLoan family usually disguise themselves as legitimate financial instruments or credit services: users are offered low-interest loans with a quick approval procedure, but the terms of such loans are often very deceptive or patently false. In addition, these apps steal data from victims’ devices, thus, enabling the attackers to engage in predatory lending, blackmail, and extortion.

All SpyLoan apps request excessive privileges on the victim’s device, including access to its camera (allegedly to upload KYC photos), calendar, contacts, SMS, location, sensor data, etc. As a result, operators of such apps can steal sensitive data from infected devices.

Cyfirma researchers discovered in the Google Play Store an app called Finance Simplified that was downloaded more than 100,000 times. The app pretends to be a financial management tool.

According to the experts, in some countries (primarily in India), this app exhibits malicious behavior by stealing data from users’ devices. In addition, Cyfirma discovered a number of other malicious APKs that appear to be part of the same malware campaign: KreditApple, PokketMe, and StashFur.

Even though the app has already been removed from Google Play, it might still run in the background collecting sensitive information from infected devices, including:

  • contacts, call logs, SMS messages, and device data;
  • photos, videos, and documents from internal and external storages;
  • victim’s location (updated every 3 seconds), location history, and IP address;
  • the last 20 text messages copied to the clipboard; and 
  • credit history and SMS messages related to banking transactions.

According to numerous user reviews on Google Play, the Finance Simplified app offers lending services, and then its operators attempt to extort money from borrowers refusing to pay enormous interest rates.

Attack scheme
Attack scheme

The stolen data are primarily used to blackmail people who have applied for a loan using Finance Simplified, but they can also be used for financial fraud or sold to other cybercriminals.

To avoid detection on Google Play, Finance Simplified used a WebView to redirect users to an external website where they downloaded the loan APK hosted on Amazon EC2. Interestingly, the additional APK was downloaded only if the user was located in India.

Related posts:
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems

The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs

According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…

Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails

The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…

Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud

ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →