Lookout researchers found nearly 300 Android and iOS apps that lure victims into unfair lending terms, extort excess user data from mobile devices, and then use them to pressure and shame victims into repayment.
Aimed at consumers in developing countries – Colombia, India, Indonesia, Kenya, Mexico, Nigeria, the Philippines, Thailand, and Uganda – the apps and their operators are taking advantage of the inability of victim qualify for a traditional loan.
Android and iOS loan apps that lead to harassment
The apps are said to offer “fast, fully digital loan approval with reasonable loan terms. In fact, they take advantage of victims’ desire for quick cash to lure borrowers into predatory loan contracts and demand to grant access to sensitive information such as contacts and SMS messages,” explained Lookout researcher Ruohan Xiong, Rono Dasgupta, and Alina Mambo.
“Some users have reported that their loans come with hidden fees, high interest rates and repayment terms that are far less favorable than what is posted on the app store. We also found evidence that the data exfiltrated from devices is sometimes used to pressure a refund, by harassing the customers themselves or their contacts.”
After downloading one of these apps, the user is first asked to share personal and financial information – name, address, employment history, education, and banking information – then to perform identity verification with a video selfie (meaning: they provide also an image of their ID card).
The apps then ask the user to access their contacts, photos and media, and be allowed to make and manage phone calls and send and view SMS messages.
“Once the app has exfiltrated the victim’s information and distributed the loan, the collector begins cycles of harassment. Sometimes the loan operator waits until the repayment deadline has passed, but we have seen many complaints indicating that harassment occurs before payment is required,” the researchers noted.
“This is where the unfiltered contact information comes in, where anyone would be contacted, including those who did not include the victim in their loan application. A common tactic is to disclose or threaten to disclose loan debts or other personal information to their contact networks, often including family members or friends.”
Available in official app stores
The researchers found almost 300 of these apps: 251 on the Google Play Store (with over 15 million collective downloads!) and 35 on the Apple App Store.
While both app stores accept personal loan apps, the way the operators of these apps manage the “business” they run defies the stores’ guidelines. Both Apple and Google have removed the apps from their stores.
While appstore reviews left by victims should prevent others from using these apps, many were probably too desperate to heed the warning or balk at the apps’ request for permissions too wide. (If the user refuses to give the permissions, the apps don’t allow them to continue.)
“Based on the low review scores of most apps, the operators do not seem to be afraid of getting caught and the reputation of individual apps seems to be disposable. This may be partly a result of looser financial regulations or a lack of enforcement,” the researchers concluded.
