SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Lookout finds predatory behaviour on 300 loan apps
Thu, 1st Dec 2022
FYI, this story is more than a year old

Lookout has discovered almost 300 loan apps that exhibit predatory behaviour, such as exfiltrating excessive user data from mobile devices and harassing borrowers for repayment.

The apps were found in Africa, Southeast Asia, India, Colombia and Mexico.

They allegedly provide quick, completely digital loan approvals with reasonable loan terms but actually exploit a victim’s desire for quick cash in an attempt to lure borrowers into predatory loan contracts and force them to grant access to sensitive information on their device that would not ordinarily be required in a valid loan application process. This includes contacts, phone history, and SMS messages.

On top of these predatory requests for excessive access, many of the loan operators display scam-like actions.

Victims have reported hidden fees and high interest rates as well as repayment terms that significantly differ from what was posted on the app stores.

In addition, Lookout Threat Lab found evidence that data taken from devices was used in some instances to pressure the customer for repayment, a common threat tactic to disclose a borrower’s debt or other personal information to their network of contacts.

Lookout researchers discovered a total of 251 Android apps on the Google Play Store with over 15 million combined downloads, as well as 35 apps on the Apple App Store that were in the top 100 finance apps in their regional stores.

Lookout has notified Google and Apple about these apps, and all those posing a risk have been removed from their respective stores.

Endpoint to cloud security company Lookout is purpose-built for the intersection of enterprise and personal data and protects data throughout devices, apps, networks and clouds through its unified, cloud-native security platform.

“Mobile apps have made managing our lives a lot easier and are a convenient way to interact with businesses such as financial institutions,” says Ruohan Xiong, Senior Security Intelligence Researcher, Lookout.

“However, when entrusting any app with sensitive personal information, it is extremely important to stop and ask yourself if the information being requested makes sense and if the business behind the app is a trusted entity.

“As these predatory loan apps have demonstrated, app permissions could easily be abused if users are not careful. While there are likely dozens of independent operators involved, all of these loan apps have a very similar business model: to trick victims into unfair loan terms and then extort payment.”

Lookout notes that despite these apps being taken offline, consumers should still be cautious when engaging with online businesses, including financial institutions.