Keypoints
- SpyLoan apps are distributed through SMS, social media, scam websites, third-party stores and (previously) Google Play.
- Installation flow forces broad runtime permissions and SMS OTP verification; country code is preselected to restrict registrations to targeted regions.
- After registration the apps require extensive identity data (ID photos, selfies, bank details) and collect device data: IMEI/IMSI, SIM serial, installed apps, Wi‑Fi info, call logs, SMS, contacts, calendar, location, and Exif metadata.
- Collected data is encrypted (AES) and exfiltrated to attacker C2 servers over HTTPS; the malware evolved to use code obfuscation and encrypted strings to evade detection.
- ESET identified multiple app binaries (Android/SpyLoan, Android/Spy.KreditSpy, Android/Spy.Agent variants) and mapped C2 infrastructure hosted on various cloud providers (Amazon, Alibaba, Cloudflare, Huawei).
- Google Play policy updates prohibit such sensitive-data permissions for loan apps, but many SpyLoan instances previously bypassed reviews and maintained broad permissions until takedowns.
MITRE Techniques
- [T1418] Software Discovery – SpyLoan obtains a list of installed applications (‘SpyLoan can obtain a list of installed applications.’)
- [T1420] File and Directory Discovery – SpyLoan enumerates photos on external storage and extracts Exif metadata (‘SpyLoan lists available photos on external storage and extracts Exif information.’)
- [T1422] System Network Configuration Discovery – SpyLoan extracts IMEI, IMSI, IP address, phone number and country (‘SpyLoan extracts the IMEI, IMSI, IP address, phone number, and country.’)
- [T1426] System Information Discovery – SpyLoan collects device identifiers and system info including SIM serial and device ID (‘SpyLoan extracts information about the device, including SIM serial number, device ID, and common system information.’)
- [T1430] Location Tracking – SpyLoan tracks device location (‘SpyLoan tracks device location.’)
- [T1636.001] Protected User Data: Calendar Entries – SpyLoan exfiltrates calendar events (‘SpyLoan extracts calendar events.’)
- [T1636.002] Protected User Data: Call Logs – SpyLoan extracts call logs (‘SpyLoan extracts call logs.’)
- [T1636.003] Protected User Data: Contact List – SpyLoan extracts contact lists (‘SpyLoan extracts the contact list.’)
- [T1636.004] Protected User Data: SMS Messages – SpyLoan extracts SMS messages (‘SpyLoan extracts SMS messages.’)
- [T1437.001] Application Layer Protocol: Web Protocols – SpyLoan communicates with C2 over HTTPS (‘SpyLoan uses HTTPS to communicate with its C&C server.’)
- [T1521.001] Encrypted Channel: Symmetric Cryptography – SpyLoan encrypts C2 traffic using AES (‘SpyLoan uses AES to encrypt its communication.’)
- [T1646] Exfiltration Over C2 Channel – SpyLoan exfiltrates stolen data to C2 via HTTPS (‘SpyLoan exfiltrates data using HTTPS.’)
Indicators of Compromise
- [File hashes / APK filenames] SpyLoan APKs reported by ESET – 136067AC519C23EF7B9E8EB788D1F5366CCC5045 (com.aa.kredit.android.apk), C0A6755FF0CCA3F13E3C9980D68B77A835B15E89 (com.amorcash.credito.prestamo.apk), and 15 more hashes.
- [APK filenames] Example malicious package names – com.mxolp.postloan.apk, com.loan.cash.credit.tala.prestmo.fast_branch_mextamo.apk (and other loan-related APK names listed in IoCs).
- [C2 IPs / Domains] Command-and-control hosts – 3.109.98[.]108 (pss.aakredit[.]in), 35.86.179[.]229 (www.guayabacash[.]com), and 15 more C2 hosts across Amazon, Alibaba, Cloudflare, Huawei clouds.
- [Hosting providers] Cloud infrastructure seen – Amazon.com, Inc.; Alibaba (US) Technology Co., Ltd.; Cloudflare, Inc.; HUAWEI CLOUDS (used to host multiple C2 domains).
SpyLoan’s technical flow begins with distribution via SMS/social media links, scam websites, third-party app stores and previously Google Play. The installed APK requests extensive runtime permissions and forces SMS OTP registration with a preselected country code to ensure only users with numbers registered in target countries can enroll. Some samples include Flutter/Dart components, indicating use of cross-platform frameworks to simplify development and deployment.
After registration the app collects both user-submitted identity material (ID images, selfies, banking details) and a wide range of device data: IMEI/IMSI, SIM serial, device identifiers, installed-app lists, local Wi‑Fi info, call logs, SMS messages, contacts, calendar events, location, and Exif metadata from images. Earlier variants sent data plainly; later versions adopted encrypted strings, code obfuscation and AES-based encryption to protect payloads and communications.
All harvested data is encrypted client-side (AES) and exfiltrated to attacker-controlled C2 servers over HTTPS. ESET mapped numerous C2 domains and IPs hosted on major cloud providers and published APK hashes and domains to aid detection; detections are reported as Android/SpyLoan, Android/Spy.KreditSpy and Android/Spy.Agent variants. Defenders should block listed C2 hosts, detect the APK hashes, monitor for unusual permission requests and SMS‑based registrations, and inspect apps that request unnecessary access to media, contacts, SMS, call logs and calendars.