Predatory loan mobile apps grab data, harass users and their contacts

Lookout researchers have discovered nearly 300 Android and iOS apps that trick victims into unfair loan terms, exfiltrate excessive user data from mobile devices, and then use it to pressure and shame the victims for repayment.

Aimed at consumers in developing countries – Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda – the apps and their operators are taking advantage of victims’ inability to qualify for a traditional loan.

Android and iOS loan apps that lead to harassment

The apps “purportedly offer quick, fully-digital loan approvals with reasonable loan terms. In reality, they exploit victims’ desire for quick cash to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information such as contacts and SMS messages,” Lookout researchers Ruohan Xiong, Rono Dasgupta, and Alina Mambo explained.

“A number of users have reported that their loans come with hidden fees, high interest rates, and repayment terms that are much less favorable than what is posted on the app stores. We also found evidence that the data exfiltrated from devices are sometimes used to pressure for repayment, either by harassing the customers themselves or their contacts.”

After downloading one of these apps, the user is first asked to share personal and financial information – name, address, employment history, education, and banking information – then to perform an ID verification with a video selfie (meaning: they also provide an image of their ID card).

Then the apps ask the user to access their contacts, photos and media, and to be allowed to make and manage phone calls and send and view SMS messages.

“Once the victim’s information is exfiltrated by the app and the loan is distributed, the collector then begins cycles of harassment. Sometimes the loan operator would wait until the repayment deadline has passed, but we’ve seen many complaints indicating that harassment occurs before payment is required,” the researchers noted.

“This is where the exfiltrated contact information comes in, where anyone, including those that the victim didn’t include in their loan application, would be contacted. A common tactic is to disclose or threaten to disclose a borrower’s debt or other personal information to their networks of contacts, which often includes family members or friends.”

Found on official app stores

The researchers found nearly 300 of these apps: 251 on the Google Play store (with over 15 million collective downloads!) and 35 on the Apple App Store.

While both app stores accept personal loan apps, how the operators of these apps manage the “business” makes them run afoul of the stores’ guidelines. Both Apple and Google have now removed the apps from their store.

While app store reviews left by victims should have prevented others against using these apps, it’s likely that many were too desperate to heed the warning or to balk at the apps’ request for too broad permissions. (If the user refuses to give the permissions, the apps don’t allow them to proceed.)

“Based on the low review scores of most of the apps, the loan operators don’t seem to be afraid of getting caught and find the reputation of the individual apps to be disposable. This may partially be the result of looser financial regulations or lack of enforcement,” the researchers concluded.