{"id":203552,"date":"2024-11-25T05:00:06","date_gmt":"2024-11-25T13:00:06","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=203552"},"modified":"2024-11-24T23:42:58","modified_gmt":"2024-11-25T07:42:58","slug":"spyloan-a-global-threat-exploiting-social-engineering","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/","title":{"rendered":"SpyLoan: A Global Threat Exploiting Social Engineering"},"content":{"rendered":"<p><em>Authored by: Fernando Ruiz<\/em><\/p>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW213489285 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW213489285 BCX0\">The <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">McAfee mobile research team <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">recently<\/span> <span class=\"NormalTextRun SCXW213489285 BCX0\">identified<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> a<\/span> <span class=\"NormalTextRun SCXW213489285 BCX0\">significant <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">global<\/span> <span class=\"NormalTextRun SCXW213489285 BCX0\">increase<\/span> <span class=\"NormalTextRun SCXW213489285 BCX0\">of <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">SpyLoan<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">, also know<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">n<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> as<\/span> <span class=\"NormalTextRun SCXW213489285 BCX0\">predatory loan<\/span>\u00a0<span class=\"NormalTextRun SCXW213489285 BCX0\">apps<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">,<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> on Android<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">.<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> These <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">PUP (potentially unwanted programs)<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> applications use <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">social engineering<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> tactics to trick users into providing sensitive information and granting <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">extra mobile app <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">permissions,\u00a0<\/span><\/span> <span class=\"TextRun SCXW213489285 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW213489285 BCX0\">which can lead<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\"> to extortion, harassment, and <\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">financial loss<\/span><span class=\"NormalTextRun SCXW213489285 BCX0\">.<\/span><\/span><span class=\"EOP SCXW213489285 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW67485356 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW67485356 BCX0\">During our investigation of this threat, we <\/span><span class=\"NormalTextRun SCXW67485356 BCX0\">identified<\/span><span class=\"NormalTextRun SCXW67485356 BCX0\"> fifteen apps with a combined total of over eight million installations<\/span><span class=\"NormalTextRun SCXW67485356 BCX0\">.\u00a0 <\/span><span class=\"NormalTextRun SCXW67485356 BCX0\">This group of loan apps share a common framework to encrypt and exfiltrate data from a victim\u2019s device to a command and control (C2) server using a similar HTTP endpoint infrastructure. They <\/span><span class=\"NormalTextRun SCXW67485356 BCX0\">operate<\/span><span class=\"NormalTextRun SCXW67485356 BCX0\"> localized in targeted territories, <\/span><span class=\"NormalTextRun SCXW67485356 BCX0\">mainly in<\/span><span class=\"NormalTextRun SCXW67485356 BCX0\"> South America, Southern Asia, and Africa, with some of them being promoted through deceptive advertising on social media. <\/span><\/span><span class=\"EOP SCXW67485356 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW207368834 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW207368834 BCX0\">McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the apps discovered to Google <\/span><span class=\"NormalTextRun SCXW207368834 BCX0\">who<\/span> <span class=\"NormalTextRun SCXW207368834 BCX0\">have notified<\/span><span class=\"NormalTextRun SCXW207368834 BCX0\"> the developers that their apps violate Google Play policies and fixes are needed to come into compliance. Some apps were suspended from Google Play while others were updated<\/span><span class=\"NormalTextRun SCXW207368834 BCX0\"> by the developers<\/span><span class=\"NormalTextRun SCXW207368834 BCX0\">.<\/span><\/span><span class=\"EOP CommentStart SCXW207368834 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW154050790 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW154050790 BCX0\">McAfee Mobile Security detects all of these apps as <strong>Android\/<\/strong><\/span><strong><span class=\"NormalTextRun SpellingErrorV2Themed SCXW154050790 BCX0\">PUP.SpyLoan<\/span><\/strong><span class=\"NormalTextRun SCXW154050790 BCX0\"> due to our PUP policy since even after some apps have updated to reduce the permissions requirements and the harvesting of sensitive information they still pose a risk for the user\u2019s privacy due to the potential unethical practices that can be conducted by the operators of these apps that are not licensed or registered with the authorities that regulate financial services in each jurisdiction where they operate.<\/span><\/span><span class=\"EOP SCXW154050790 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205183 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-1-2.png\" alt=\"\" width=\"1209\" height=\"680\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-1-2.png 1209w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-1-2-300x169.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-1-2-1024x576.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-1-2-768x432.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-1-2-205x115.png 205w\" sizes=\"auto, (max-width: 1209px) 100vw, 1209px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 1: Examples of SpyLoan apps recently distributed on Google Play<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW233298251 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW233298251 BCX0\">Since 2020, <\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">SpyLoan has <\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">become<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\"> a <\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">consistent<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\"> presence<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">\u00a0<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">\u00a0<\/span><\/span> <span class=\"TextRun SCXW233298251 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW233298251 BCX0\">in the mobile threat landscape<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">. However, our telemetry <\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">indicates<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\"> a rapid surge in their activity recently. Fr<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">om the end of Q2 to the end of <\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">Q3 2024, the number of malicious SpyLoan apps and unique infected devices has increased by over 75%<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">.\u00a0<\/span><span class=\"NormalTextRun SCXW233298251 BCX0\">\u00a0<\/span><\/span><span class=\"EOP SCXW233298251 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><strong>Understanding the Threat<\/strong><\/h2>\n<h3><strong>What Are SpyLoan Apps?<\/strong><\/h3>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW255788533 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW255788533 BCX0\">SpyLoan apps are <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">intrusive<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\"> financial applications that <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">lure users with promises of<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\"> quick and flexible loans, often <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">featuring low rates and minimal requirements. Wh<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">ile these apps <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">may <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">seem to <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">offer genuine value, the reality is that these apps primarily exist to collect as much personal information as possible, which they then<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\"> may<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\"> exploit to harass and extort users into paying predatory interest rates. They employ questionable tactics, such as deceptive marketing that highlights time-limited offers and countdowns, creating a false sense of urgency to pressure users into making hasty decisions. <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">Ultimately, rather<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\"> than providing genuine financial <\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">assistance<\/span><span class=\"NormalTextRun SCXW255788533 BCX0\">, these apps can lead users into a cycle of debt and privacy violations.<\/span><\/span><span class=\"EOP SCXW255788533 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW20982279 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW20982279 BCX0\">While the specific<\/span> <span class=\"NormalTextRun SCXW20982279 BCX0\">behavior may vary by country, these apps share common characteristics<\/span><span class=\"NormalTextRun SCXW20982279 BCX0\"> and code at app and infrastructure level:<\/span><\/span><span class=\"EOP SCXW20982279 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><strong><span class=\"TextRun MacChromeBold SCXW3422774 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW3422774 BCX0\">Distribution via Official App Stores<\/span><\/span><\/strong><span class=\"TextRun SCXW3422774 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW3422774 BCX0\"><strong>:<\/strong> Despite violating policies, these apps often slip through app store vetting processes and are available on platforms like Google Play, making them appear trustworthy.<\/span><\/span><span class=\"EOP SCXW3422774 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<li><strong><span class=\"TextRun MacChromeBold SCXW143191437 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW143191437 BCX0\">Deceptive Marketing<\/span><\/span><\/strong><span class=\"TextRun SCXW143191437 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW143191437 BCX0\"><strong>:<\/strong> They use names, logos, and user interfaces that mimic reputable financial institutions to gain credibility<\/span><span class=\"NormalTextRun SCXW143191437 BCX0\">. Often these loan apps are promoted by ads on social media networks<\/span><\/span><span class=\"EOP SCXW143191437 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-205524\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-2-2.png\" alt=\"\" width=\"388\" height=\"710\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-2-2.png 388w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-2-2-164x300.png 164w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-2-2-70x129.png 70w\" sizes=\"auto, (max-width: 388px) 100vw, 388px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 2: Ad for a SpyLoan app<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW147212081 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW147212081 BCX0\">\u201cHigh amount of loan\u201d Add on Facebook for app \u201cPresta Facil: Revision <\/span><span class=\"NormalTextRun SCXW147212081 BCX0\">Rapida<\/span><span class=\"NormalTextRun SCXW147212081 BCX0\">\u201d which translate to \u201cEasy Loan: Fast Approval\u201d detailing interest rates, amount, period, <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW147212081 BCX0\">etc<\/span><span class=\"NormalTextRun SCXW147212081 BCX0\"> for a loan in Colombian pesos.<\/span><\/span><span class=\"EOP SCXW147212081 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:1350,&quot;335559737&quot;:1080,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<ul>\n<li><strong><span class=\"TextRun MacChromeBold SCXW103203101 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW103203101 BCX0\">Similar user flow<\/span><\/span><\/strong><span class=\"TextRun SCXW103203101 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW103203101 BCX0\">: After <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">first execution a<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\"> privacy policy <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">is <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">displayed <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">with the details of what information will be collecte<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">d<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">, <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">then a <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">countdown timer <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">creates the sense of urgency to apply to the l<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">oan <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">offer<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\"> and <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">the<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\"> user\u2019s <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">phone number with the country code of the targeted <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">territory is required to continue, asking for <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">a<\/span> <span class=\"NormalTextRun SCXW103203101 BCX0\">one-time-<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">password<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\"> (OTP)<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\"> that is received by SMS to authenticate the user<\/span><span class=\"NormalTextRun SCXW103203101 BCX0\"> and validate <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">that user has a phone number <\/span><span class=\"NormalTextRun SCXW103203101 BCX0\">from the targeted country.<\/span><\/span><span class=\"EOP SCXW103203101 BCX0\" data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/li>\n<\/ul>\n<p style=\"font-weight: 400;\"><span class=\"TextRun SCXW87467127 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW87467127 BCX0\">SpyLoan apps are consistent with this onboarding process. Then <\/span><span class=\"NormalTextRun SCXW87467127 BCX0\">navigation bar and app actions are <\/span><span class=\"NormalTextRun SCXW87467127 BCX0\">very similar<\/span><span class=\"NormalTextRun SCXW87467127 BCX0\"> with different graphics <\/span><span class=\"NormalTextRun SCXW87467127 BCX0\">but have the<\/span><span class=\"NormalTextRun SCXW87467127 BCX0\"> same features in <\/span><span class=\"NormalTextRun SCXW87467127 BCX0\">the<\/span><span class=\"NormalTextRun SCXW87467127 BCX0\">ir<\/span><span class=\"NormalTextRun SCXW87467127 BCX0\"> respective<\/span><span class=\"NormalTextRun SCXW87467127 BCX0\"> localized languages.<\/span><\/span><span class=\"EOP SCXW87467127 BCX0\" data-ccp-props=\"{&quot;335559685&quot;:720,&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205213 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-3-1.png\" alt=\"\" width=\"863\" height=\"644\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-3-1.png 863w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-3-1-300x224.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-3-1-768x573.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-3-1-173x129.png 173w\" sizes=\"auto, (max-width: 863px) 100vw, 863px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 3:\u00a0 Example of privacy terms on two different SpyLoan apps, one targeting Indonesia (left) named \u201cKreditKu-Uang Online\u201d and another targeting Mexico (right) named \u201cPr\u00e9stamo Seguro-R\u00e1pido, Seguro\u201d.<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">Both apps have in common a framework that shares the user interface, user\u2019s flow and encryption libraries with techniques for communication with C2 infrastructure, while the operators have different locations, language and target countries.<\/p>\n<ul>\n<li><strong>Privacy agreements: <\/strong>These apps have similar but not equal privacy terms, in general they describe and justify the sensitive data to be collected as part of the user identification process and anti-fraud measures.\n<ul>\n<li>They require users to consent to collect excessive and exploitative data that a formal financial institution would not normally require, such as SMS message content, call logs and contact lists.<\/li>\n<li>The contact information of the financial institution is from free service email domain like Gmail or Outlook, like a personal email address, not from a formal and legal financial institution.<\/li>\n<li>The websites implementation of the privacy terms of these SpyLoans apps are built with the same web-framework, using JavaScript to dynamically load the content of the terms, this text is not available in the HTML files directly.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong>Excessive Permission Requests<\/strong>: Upon installation, they request permissions that are unnecessary for a loan app, such as access to contacts, SMS, storage, calendar, phone call records and even microphone or camera.<\/li>\n<\/ul>\n<p style=\"font-weight: 400; padding-left: 40px;\">Common permissions on SpyLoan applications can be:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>permission.CAMERA<\/li>\n<li>permission.READ_CALL_LOG<\/li>\n<li>permission.READ_PHONE_STATE<\/li>\n<li>permission.ACCESS_COARSE_LOCATION<\/li>\n<li>permission.READ_SMS<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"font-weight: 400; padding-left: 40px;\">Depending on the implementation and distribution method they can include more sensitive permissions.<\/p>\n<ul>\n<li><strong>Enticing Offers<\/strong>: Promising quick loans with minimal requirements to attract users in urgent financial situations. A countdown might be displayed to increase the sense of urgency.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205228 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-4-1.png\" alt=\"\" width=\"1236\" height=\"768\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-4-1.png 1236w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-4-1-300x186.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-4-1-1024x636.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-4-1-768x477.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-4-1-205x127.png 205w\" sizes=\"auto, (max-width: 1236px) 100vw, 1236px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 4: Three different apps, from different developers offering the same initial countdown onboarding screen: Offering an \u201c85% approval rate\u201d in different languages with a countdown.<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\"><strong>Phone Validation via SMS OTP: <\/strong>To complete the registration a phone number with the country code of the target country is required to validate the user\u2019s phone is on the territory, receiving an one time password (OTP) to proceed to the registration via text message.<\/p>\n<p style=\"font-weight: 400;\"><strong>Data Collection<\/strong>: Users are prompted to provide sensitive legal identification documents and personal information, banking accounts, employee information among with device data that is exfiltrated from the victim\u2019s device.<\/p>\n<h2><strong>Impact on Users<\/strong><\/h2>\n<h3><strong>Financial Exploitation<\/strong><\/h3>\n<ul>\n<li><strong>Hidden Fees and High Interest Rates<\/strong>: Users receive less than the promised loan amount but are required to repay the full amount plus exorbitant fees within a short period.<\/li>\n<li><strong>Unauthorized Charges<\/strong>: Some apps initiate unauthorized transactions or charge hidden fees.<\/li>\n<\/ul>\n<h3><strong>Privacy Violations<\/strong><\/h3>\n<ul>\n<li><strong>Data Misuse<\/strong>: Personal information is exploited for blackmail or sold to third parties. This might include sextortion with victims\u2019 pictures that can be exfiltrated or created with AI.<\/li>\n<li><strong>Harassment and Extortion<\/strong>: Users and their contacts receive threatening messages or calls including death threats.<\/li>\n<\/ul>\n<h3><strong>Emotional and Psychological Distress<\/strong><\/h3>\n<ul>\n<li><strong>Stress and Anxiety<\/strong>: Aggressive tactics cause significant emotional harm.<\/li>\n<li><strong>Reputational Damage<\/strong>: Public shaming can affect personal and professional relationships.<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Back to 2023 in Chile <a href=\"https:\/\/www.t13.cl\/noticia\/nacional\/investigan-suicidio-joven-madre-maria-pinto-extorsionada-por-prestamistas-ilegales\">media reported<\/a> the suicide of a victim of fake loans after the harassment and threats to her friends and family and to her integrity.<\/p>\n<h2><strong>Data Exfiltration analysis<\/strong><\/h2>\n<p style=\"font-weight: 400;\">The group of SpyLoan applications reported in this blog belongs to the family identified by McAfee as Android\/SpyLoan.DE that transmits the collected information encrypted to the command and control (C2) using AES (Advanced encryption standard) with 128bits keys then base64 encoding and optionally adds a hardcoded padding over https.<\/p>\n<p style=\"font-weight: 400;\">Encryption key and initialization vector (IV) are hardcoded into the obfuscated application code.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205243 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-5-1.png\" alt=\"\" width=\"818\" height=\"164\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-5-1.png 818w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-5-1-300x60.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-5-1-768x154.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-5-1-205x41.png 205w\" sizes=\"auto, (max-width: 818px) 100vw, 818px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 5: Encryption key and IV hardcoded in SpyLoan variant<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">SpyLoan uses this same encryption routine to hide sensitive strings on resources.xml that leads to data exfiltration, for example:<\/p>\n<ul>\n<li>String skadnjskdf in resources.xml:\n<ul>\n<li>&lt;string name=&#8221;skadnjskdf&#8221;&gt;<strong>501tm8gR24S8F8BpRDkvnw==<\/strong>&lt;\/string&gt;<\/li>\n<\/ul>\n<\/li>\n<li>The AES decrypted value using the same encryption routine implemented for data exfiltration:\n<ul>\n<li>&lt;string name=&#8221;skadnjskdf&#8221;&gt;<strong>content:\/\/sms\/<\/strong>&lt;\/string&gt;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">This string is used to construct a content URI that allows access to SMS Messages that it\u2019s implemented to extract fields like, date, address (sender\/recipient), message body, status, etc., and formats into JSON that then will be encrypted again to be sent to the C2.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205258 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-6-1.png\" alt=\"\" width=\"908\" height=\"548\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-6-1.png 908w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-6-1-300x181.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-6-1-768x464.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-6-1-205x124.png 205w\" sizes=\"auto, (max-width: 908px) 100vw, 908px\" \/><\/p>\n<p style=\"text-align: center;\">Figure 6: Code section that exfiltrates all SMS messages from Victim\u2019s device<\/p>\n<p style=\"font-weight: 400;\">Exfiltrated data is posted into the C2 via HTTP post inside an encrypted JSON object. The URLs of the endpoints used to collect sensitive data shares the URL structure between different SpyLoan applications. They use the same URLs scheme that can be detected by this regex:<\/p>\n<p style=\"font-weight: 400; text-align: center;\">^https:\\\/\\\/[a-z0-9.-]+\\\/[a-z]{2,}<strong>-gp<\/strong>\\\/[a-z0-9]+\\\/[a-z0-9]+$<\/p>\n<p style=\"font-weight: 400;\">Some examples of C2 URLs that match this scheme:<\/p>\n<ul>\n<li>hxxps:\/\/su.mykreditandfear.com\/her-gp\/kgycinc\/wjt<\/li>\n<li>hxxps:\/\/hx.nihxdzzs.com\/dz-gp\/cfmwzu\/uyeo<\/li>\n<li>hxxps:\/\/prep.preprestamoshol.com\/seg-gp\/pdorj\/tisqwfnkr<\/li>\n<li>hxxps:\/\/tlon.pegetloanability.com\/anerf-gp\/jwnmk\/dgehtkzh<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Using the same technique and obfuscation methods SpyLoan samples hide in his code the ability to exfiltrate larges amount of sensitive data from their victims, including:<\/p>\n<ul>\n<li>Call Logs: Collects call log data from the device if permissions are granted\n<ul>\n<li>Number: The phone number of the caller<\/li>\n<li>Type: Type of call (incoming, outgoing, missed)<\/li>\n<li>Duration: The duration of the call<\/li>\n<li>Date: The timestamp of the call<\/li>\n<li>Name: The name of the contact (if available)<\/li>\n<\/ul>\n<\/li>\n<li>Files in download directory with metadata: file name, extension, file size, last modified timestamp<\/li>\n<li>All accounts on the device, emails and social media accounts.<\/li>\n<li>Information about all apps installed<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Other miscellaneous information collected:<\/p>\n<ul>\n<li>Device and Network information:\n<ul>\n<li>Subscriber ID<\/li>\n<li>DNS Information<\/li>\n<li>Device ID (IMEI)<\/li>\n<li>MAC address<\/li>\n<li>Country code<\/li>\n<li>Network Operator Name<\/li>\n<li>Language<\/li>\n<li>Network Type (WIfi, 4G, 3G, etc)<\/li>\n<li>Phone number<\/li>\n<li>Locale information (country code, display language)<\/li>\n<li>Time Zone<\/li>\n<li>Development Settings (enable or disable)<\/li>\n<li>Phone Type (GSM, CDMA)<\/li>\n<li>Elapsed Real-Time (The elapsed time since device was booted)<\/li>\n<li>Proxy Configuration<\/li>\n<\/ul>\n<\/li>\n<li>SIM Information\n<ul>\n<li>SIM country ISO Code<\/li>\n<li>SIM Serial Number (ICCID)<\/li>\n<\/ul>\n<\/li>\n<li>Location:\n<ul>\n<li>Permission: It checks for ACCESS_COARSER_LOCATION<\/li>\n<li>Location provider: Check if GPS or network location are available<\/li>\n<li>Last known location: Latitude or longitude<\/li>\n<li>Geocoding information (converts latitude and longitude into a structured address):\n<ul>\n<li>Country name<\/li>\n<li>Admirative area<\/li>\n<li>City<\/li>\n<li>Street<\/li>\n<li>Address Line<\/li>\n<\/ul>\n<\/li>\n<li>Device configuration\n<ul>\n<li>Number of images: It counts the number of images files in external storage<\/li>\n<li>Test Mode: reports if the device is in test mode<\/li>\n<li>Keyboard Configuration<\/li>\n<li>Current time<\/li>\n<li>Enabled accessibility services flag<\/li>\n<\/ul>\n<\/li>\n<li>OS Settings:\n<ul>\n<li>Android version details (version, sdk level, fingerprint, id, display build)<\/li>\n<li>Hardware information (device name, product name, device model, hardware details, device brand, board info, device serial number)<\/li>\n<li>System configuration (bootloader version, build host, build user, CPU info)<\/li>\n<li>Network (radio version, system type, build tags)<\/li>\n<\/ul>\n<\/li>\n<li>Storage Information:\n<ul>\n<li>External storage path, size,<\/li>\n<li>Internal storage: total size, available size.<\/li>\n<li>Memory information: total RAM, available RAM<\/li>\n<\/ul>\n<\/li>\n<li>Sensor data<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Data from sensors such as accelerometers, gyroscopes, magnetometers if available on the affected device. This information includes:<\/p>\n<ul>\n<li>Sensor type, sensor name, version, vendor, maximum range, minimum delay, power consumption, resolution.<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Sensor data can be used for device fingerprinting and user\u2019s behavioral monitoring.<\/p>\n<ul>\n<li>Battery Information:\n<ul>\n<li>Battery level<\/li>\n<li>Battery status: Indicates if the devices is plugged<\/li>\n<li>Other battery metadata: health, if present, voltage, battery technology, type, etc.<\/li>\n<\/ul>\n<\/li>\n<li>Audio settings (maximum and current volume levels)<\/li>\n<\/ul>\n<h2><strong>Victim Experiences<\/strong><\/h2>\n<p style=\"font-weight: 400;\">Users have reported alarming experiences, such as:<\/p>\n<ul>\n<li>Receiving threatening calls and death threats for delayed payments.<\/li>\n<li>Having personal photos and IDs misused to intimidate them.<\/li>\n<li>The app accesses their contacts to send harassing messages to friends and family.<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Typical comments on fake loan apps:<\/p>\n<p style=\"font-weight: 400;\">For example, \u201cPr\u00e9stamo Seguro-R\u00e1pido, Seguro\u201d had many fake positive reviews on Google Play while a few consistent users reviews that alleged abuse of the collected data, extorsion and harassment.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205273 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-7-1.png\" alt=\"\" width=\"932\" height=\"546\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-7-1.png 932w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-7-1-300x176.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-7-1-768x450.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-7-1-205x120.png 205w\" sizes=\"auto, (max-width: 932px) 100vw, 932px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 7: User reviews in Spanish<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"510\">October 18, 2024<\/p>\n<p>I do not recommend this app. They start calling and threatening you with edited photos and posting them on social media, even sending them to your contacts, a day before. Even when it&#8217;s not the due date. Not recommended at all! Pure fraud and extortion.<\/td>\n<\/tr>\n<tr>\n<td width=\"510\">September 25, 2024<\/p>\n<p>Horrible app, they don&#8217;t show you how much interest they will charge, which is a lot, and before the payment date arrives, they start threatening your contacts and even send you personal messages with threats and foul language, threatening to extort your family.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Meanwhile other apps receive similar negative comments:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205288 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-8-1.png\" alt=\"\" width=\"949\" height=\"612\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-8-1.png 949w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-8-1-300x193.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-8-1-768x495.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-8-1-200x129.png 200w\" sizes=\"auto, (max-width: 949px) 100vw, 949px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 8: Comments on SpyLoan apps<\/figcaption><\/figure>\n<h2><strong>Global Impact of SpyLoans Apps<\/strong><\/h2>\n<h3><strong>Worldwide Issue with Local Variations<\/strong><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-205303 size-full\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-9-1.png\" alt=\"\" width=\"767\" height=\"522\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-9-1.png 767w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-9-1-300x204.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/figure-9-1-190x129.png 190w\" sizes=\"auto, (max-width: 767px) 100vw, 767px\" \/><\/p>\n<figure style=\"text-align: center;\"><figcaption>Figure 9: Global prevalence of SpyLoan apps<\/figcaption><\/figure>\n<p style=\"font-weight: 400;\">These threats are not confined to a single region; they&#8217;ve been reported globally with localized adaptations. Predatory loan apps activities have been identified worldwide not limited to the variants technically described in this post, the following incidents can provide a wider context of the impact of this threat:<\/p>\n<ul>\n<li><strong>Asia<\/strong>:\n<ul>\n<li><em>India<\/em>: Users faced harassment and data leaks from apps misusing granted permissions. <a href=\"https:\/\/www.bbc.com\/news\/world-asia-india-66964510\">Authorities have taken action against such apps<\/a><\/li>\n<li><em>Southeast Asia<\/em>: Countries like Thailand, Indonesia, Vietnam and Philippines have reported significant issues with these apps exploiting users&#8217; financial vulnerabilities.\n<ul>\n<li><a href=\"https:\/\/advicecenter.kkpfg.com\/th\/money-matter\/fake-application\">Bank of Thailand advise center<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Africa<\/strong>:\n<ul>\n<li><em>Nigeria, Kenya, Uganda<\/em>: Similar apps have led to financial fraud and unauthorized transactions, targeting a large unbanked population.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Latin America<\/strong>:\n<ul>\n<li><em>Mexico, Colombia, Chile and Peru<\/em>: <a href=\"https:\/\/www.infobae.com\/peru\/2024\/01\/16\/falsos-call-centers-extorsiono-a-mas-de-7-mil-personas-asi-operaba-la-organizacion-criminal-liderada-por-un-ciudadano-chino\/\">Users have reported threats and harassment<\/a>, with apps misusing personal data for extortion.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"font-weight: 400;\">Ranking of top 10 countries with highest prevalence of Fake Loans apps according to McAfee telemetry Q3 2024:<\/p>\n<ul>\n<li>India<\/li>\n<li>Mexico<\/li>\n<li>Philippines<\/li>\n<li>Indonesia<\/li>\n<li>Thailand<\/li>\n<li>Kenya<\/li>\n<li>Colombia<\/li>\n<li>Vietnam<\/li>\n<li>Chile<\/li>\n<li>Nigeria<\/li>\n<\/ul>\n<h2><strong>Law Enforcement Actions<\/strong><\/h2>\n<p><span data-contrast=\"auto\">According to a <\/span><a href=\"https:\/\/www.infobae.com\/peru\/2024\/01\/16\/falsos-call-centers-extorsiono-a-mas-de-7-mil-personas-asi-operaba-la-organizacion-criminal-liderada-por-un-ciudadano-chino\/\"><span data-contrast=\"none\">report by the <\/span>Judiciary of Peru<\/a><span data-contrast=\"auto\">, authorities conducted a major raid on a call center engaged in extortion and the operation of fake loan apps targeting individuals in <\/span><b><span data-contrast=\"auto\">Peru, Mexico, and Chile<\/span><\/b><span data-contrast=\"auto\">.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The police reported that over <\/span><b><span data-contrast=\"auto\">300 individuals<\/span><\/b><span data-contrast=\"auto\"> were linked to this criminal operation, which had defrauded at least <\/span><b><span data-contrast=\"auto\">7,000 victims<\/span><\/b><span data-contrast=\"auto\"> across multiple countries.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The call center employees were <\/span><b><span data-contrast=\"auto\">trained specifically to extort victims<\/span><\/b><span data-contrast=\"auto\">. Using information collected from the SpyLoan apps, they threatened users to extract as much money as possible by imposing inflated interest rates and additional fees.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Meanwhile in Chile, the commission for commission for the financial market (CMF) highlights <\/span><a href=\"https:\/\/www.cmfchile.cl\/portal\/principal\/613\/w3-propertyvalue-43333.html\"><span data-contrast=\"none\">in their website tens of fraudulent credit applications<\/span><\/a><span data-contrast=\"auto\"> that has been distributed on Google Play, also the national consumer service (SERNAC) <\/span><a href=\"https:\/\/www.sernac.cl\/portal\/604\/w3-article-82602.html\"><span data-contrast=\"none\">reports more cases.<\/span><\/a><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In May 2024, the Chilean police has detained over 25 people linked to one <\/span><a href=\"https:\/\/www.latercera.com\/nacional\/noticia\/casi-2-mil-victimas-la-caida-de-la-megaestafa-de-los-creditos-falsos-por-internet-que-desarticulo-la-pdi\/JCZ32XSY75HINKETEWBQ34JS3A\/\"><span data-contrast=\"none\">Fake Loans operations that scammed over 2,000 victims<\/span><\/a><span data-contrast=\"auto\"> according to La Tercera.<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Despite the efforts the activity of these malware applications continues and increases in South America and the rest of the world.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p style=\"font-weight: 400;\">The threat of Android apps like SpyLoan is a global issue that exploits users&#8217; trust and financial desperation. These apps leverage social engineering to bypass technical security measures and inflict significant harm on individuals. Despite law enforcement actions to capture multiple groups linked to the operation of SpyLoan apps, new operators and cybercriminals continue to exploit these fraud activities, especially in South America, Southeast Asia and Africa.<\/p>\n<p style=\"font-weight: 400;\">SpyLoan apps operate with similar code at app and C2 level across different continents this suggest the presence of a common developer or a shared framework that is being sold to cybercriminals. This modular approach allows these developers to quickly distribute malicious apps tailored to various markets, exploiting local vulnerabilities while maintaining a consistent model for scamming users.<\/p>\n<p style=\"font-weight: 400;\">By reusing code and tactics, they can efficiently target different countries, often evading detection by authorities and creating a widespread problem that is difficult to combat. This networked approach not only increases the scale of the threat but also complicates efforts to trace and shut down these operations, as they can easily adapt and relocate their operations to new regions.<\/p>\n<p style=\"font-weight: 400;\">By understanding how these malicious apps operate and taking proactive steps to protect ourselves, we can mitigate the risks and help others do the same.<\/p>\n<h2><strong>How To Protect Yourself: Tips and Recommendations<\/strong><\/h2>\n<h3><strong>Be Cautious with Permissions<\/strong><\/h3>\n<ul>\n<li><strong>Review Permissions Carefully<\/strong>: Be wary of apps requesting permissions that seem unnecessary for their function.<\/li>\n<li><strong>Limit Permissions<\/strong>: Deny permissions that are not essential.<\/li>\n<\/ul>\n<h3><strong>Verify App Legitimacy<\/strong><\/h3>\n<ul>\n<li><strong>License and Registration<\/strong>: Ensure the institution is registered and licensed to operate in your country. Verify with your financial regulator\u2019s authority or consumer protection agency.<\/li>\n<li><strong>Read User Reviews<\/strong>: Look for patterns of complaints about fraud or data misuse, pay special attention in apps with polarized reviews that might contain fake positive reviews.<\/li>\n<li><strong>Research the Developer<\/strong>: Look up the developer&#8217;s name, website, and reviews. Even if the app contains privacy policy which is mandatory on Google Play this might not be honored by scammers.<\/li>\n<\/ul>\n<h3><strong>Use Security Measures<\/strong><\/h3>\n<ul>\n<li><strong>Install Security Software<\/strong>: Use reputable antivirus and anti-malware apps.<\/li>\n<li><strong>Keep Your Device Updated<\/strong>: Regular updates can protect against vulnerabilities.<\/li>\n<\/ul>\n<h3><strong>Practice Safe Online Behavior<\/strong><\/h3>\n<ul>\n<li><strong>Don&#8217;t Share Sensitive Information<\/strong>: Provide personal data only to trusted and verified entities.<\/li>\n<li><strong>Be Skeptical of Unrealistic Offers<\/strong>: If it sounds too good to be true, it probably is.<\/li>\n<\/ul>\n<h3><strong>Report Suspicious Activity<\/strong><\/h3>\n<ul>\n<li><strong>Notify App Stores<\/strong>: Report fraudulent apps to help protect others.<\/li>\n<li><strong>Contact Authorities<\/strong>: If you&#8217;re a victim, report the incident to local law enforcement or cybercrime units.<\/li>\n<\/ul>\n<h2><strong>IOC<\/strong><\/h2>\n<table style=\"width: 50%; border-collapse: collapse; margin: 0 auto; font-size: 0.8em; border: 1px solid #ccc;\">\n<thead>\n<tr style=\"background-color: #f4f4f4;\">\n<th style=\"border: 1px solid #cccccc; padding: 5px; text-align: center;\">Package<\/th>\n<th style=\"border: 1px solid #ccc; padding: 5px; text-align: left;\">App Name<\/th>\n<th style=\"border: 1px solid #ccc; padding: 5px; text-align: left;\">Downloads<\/th>\n<th style=\"border: 1px solid #ccc; padding: 5px; text-align: left;\">Country<\/th>\n<th style=\"border: 1px solid #ccc; padding: 5px; text-align: left;\">SHA256<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.prestamoseguro.ss<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Pr\u00e9stamo Seguro-R\u00e1pido, seguro<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">1M<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Mexico<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">f71dc766744573efb37f04851229eb47fc89aa7ae9124c77b94f1aa1ccc53b6c<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.voscp.rapido<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Pr\u00e9stamo R\u00e1pido-Credit Easy<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">1M<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Colombia<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">22f4650621fea7a4deab4742626139d2e6840a9956285691b2942b69fef0ab22<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.uang.belanja<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">\u0e44\u0e14\u0e49\u0e1a\u0e32\u0e17\u0e07\u0e48\u0e32\u0e22\u0e46-\u0e2a\u0e34\u0e19\u0e40\u0e0a\u0e37\u0e48\u0e2d\u0e14\u0e48\u0e27\u0e19<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">1M<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Senegal<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">b5209ae7fe60abd6d86477d1f661bfba306d9b9cbd26cfef8c50b81bc8c27451<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.rupiahkilat.best<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">RupiahKilat-Dana cair<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">1M<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Senegal<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">9d51a5c0f9abea8e9777e9d8615bcab2f9794b60bf233e3087615638ceaa140e<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.gotoloan.cash<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">\u0e22\u0e37\u0e21\u0e2d\u0e22\u0e48\u0e32\u0e07\u0e21\u0e35\u0e04\u0e27\u0e32\u0e21\u0e2a\u0e38\u0e02 &#8211; \u0e40\u0e07\u0e34\u0e19\u0e01\u0e39\u0e49<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">1M<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Thailand<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">852a1ae6193899f495d047904f4bdb56cc48836db4d57056b02352ae0a63be12<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.hm.happy.money<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">\u0e40\u0e07\u0e34\u0e19\u0e21\u0e35\u0e04\u0e27\u0e32\u0e21\u0e2a\u0e38\u0e02 &#8211; \u0e2a\u0e34\u0e19\u0e40\u0e0a\u0e37\u0e48\u0e2d\u0e14\u0e48\u0e27\u0e19<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">1M<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Thailand<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">43977fce320b39a02dc4e323243ea1b3bc532627b5bc8e15906aaff5e94815ee<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.kreditku.kuindo<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">KreditKu-Uang Online<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">500K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Indonesia<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">dfbf0bf821fa586d4e58035ed8768d2b0f1226a3b544e5f9190746b6108de625<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.winner.rupiahcl<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Dana Kilat-Pinjaman kecil<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">500K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Indonesia<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">b67e970d9df925439a6687d5cd6c80b9e5bdaa5204de14a831021e679f6fbdf1<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.vay.cashloan.cash<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Cash Loan-Vay ti\u1ec1n<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">100K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Vietnam<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">e303fdfc7fd02572e387b8b992be2fed57194c7af5c977dfb53167a1b6e2f01b<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.restrict.bright.cowboy<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">RapidFinance<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">100K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Tanzania<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">e59fd9d96b3a446a2755e1dfc5a82ef07a3965866a7a1cb2cc1a2ffb288d110c<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.credit.orange.enespeces.mtn.ouest.wave.argent.tresor.payer.pret<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Pr\u00eatPourVous<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">100K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Senegal<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">453e23e68a9467f861d03cbace1f3d19909340dac8fabf4f70bc377f0155834e<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.huaynamoney.prestamos.creditos.peru.loan.credit<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Huayna Money &#8211; Pr\u00e9stamo R\u00e1pido<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">100K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Peru<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">ef91f497e841861f1b52847370e2b77780f1ee78b9dab88c6d78359e13fb19dc<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.credito.iprestamos.dinero.en.linea.chile<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">IPr\u00e9stamos: R\u00e1pido Cr\u00e9dito<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">100K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Chile<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">45697ddfa2b9f7ccfbd40e971636f9ef6eeb5d964e6802476e8b3561596aa6c2<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.conseguir.sol.pe<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">ConseguirSol-Dinero R\u00e1pido<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">100K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Peru<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">79fd1dccfa16c5f3a41fbdb0a08bb0180a2e9e5a2ae95ef588b3c39ee063ce48<\/td>\n<\/tr>\n<tr>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">com.pret.loan.ligne.personnel<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">\u00c9coPr\u00eat Pr\u00eat En Ligne<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">50K<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">Thailand<\/td>\n<td style=\"border: 1px solid #ccc; padding: 5px;\">27743ab447cb3731d816afb7a4cecc73023efc4cd4a65b6faf3aadfd59f1768e<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as&#8230;<\/p>\n","protected":false},"author":695,"featured_media":203815,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-203552","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-25T13:00:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"SpyLoan: A Global Threat Exploiting Social Engineering\",\"datePublished\":\"2024-11-25T13:00:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/\"},\"wordCount\":3236,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/\",\"name\":\"SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png\",\"datePublished\":\"2024-11-25T13:00:06+00:00\",\"description\":\"Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"SpyLoan: A Global Threat Exploiting Social Engineering\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog","description":"Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog","og_description":"Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2024-11-25T13:00:06+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png","type":"image\/png"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"SpyLoan: A Global Threat Exploiting Social Engineering","datePublished":"2024-11-25T13:00:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/"},"wordCount":3236,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/","name":"SpyLoan: A Global Threat Exploiting Social Engineering | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png","datePublished":"2024-11-25T13:00:06+00:00","description":"Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan, also known as predatory","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2024\/11\/300x200_Blog_110923.png","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/spyloan-a-global-threat-exploiting-social-engineering\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"SpyLoan: A Global Threat Exploiting Social Engineering"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/203552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=203552"}],"version-history":[{"count":17,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/203552\/revisions"}],"predecessor-version":[{"id":205665,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/203552\/revisions\/205665"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/203815"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=203552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=203552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=203552"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=203552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}