The malicious Finance Simplified app was still available for download on Monday, but Google later removed it from the Play Store.
Spylend, a malicious Android app disguised as a Finance Simplified app, acts as a gateway to predatory loan applications targeting Indian users, according to research by Cyfirma.
After downloading the app, users are redirected to an external website where a separate loan application file (APK) is downloaded.
A malicious domain injects JavaScript into the app, displaying a list of additional loan applications. Once installed, these apps harvest sensitive user data, enforce exploitative lending practices, and employ blackmail tactics to extort money.
The app was downloaded over 100,000 times from the Google Play Store before its removal.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told Cybernews via email.
Misleading claims
After examining Finance Simplified Cyfirma researchers found multiple threats accompanied by misleading information.
The app uses location-based targeting and displays a list of unauthorized loan apps that operate inside the app (within WebView), allowing attackers to bypass Play Store scrutiny.
The app displays its privacy policy via WebView, which enables it to load external content and modify its privacy policy even after the app has been installed.
According to Cyfirma, “Upgrade Now” section displayed within the app as a WebView element is concerning, as it allows for the dynamic injection of potentially harmful code without the user’s knowledge.
“The website can modify the content, including the update process, meaning the attacker can redirect users to phishing sites, trick them into downloading malicious software, or even steal sensitive personal information,” the researchers claim.
The app also lists various loan applications, each featuring an “insider tips” section claiming to be registered with Indian banking regulators. However, Cyfrima notes that these claims are misleading as the apps were previously removed from the official Google Play Store due to fraudulent activities.
Can access the camera and call logs
When a user downloads external apps via APK, JavaScript code is injected to display external loan applications as a list within the app.
After downloading and installing some of these apps, the researchers observed that all the applications share a similar interface, suggesting that the same developer runs them.
One of the apps, KreditApple, requests sensitive runtime permissions, including access to the camera, location, and external storage, raising concerns about unauthorized photo capture and surveillance.
The report notes that the app can, among other things, monitor call logs, access SMS data, and retrieve call log information from an Android device.
While inspecting the admin panel, researchers revealed the presence of two files, en.js and zh.js. The activity associated with these files further suggests that the admin panel may potentially be managed by a Chinese attacker.
Some of the issues and risks posed by Finance Simplified and accompanying apps were highlighted in Google Play Store comments, with several users reporting that the app is fraudulent and engages in data collection and even blackmail via deepfake photo creation.
Meanwhile, reviews on private consulting platforms indicate that the scammers pressure users, mock them, and engage in digital abuse or threats.
Your email address will not be published. Required fields are markedmarked