Cybersecurity researchers at Cyfirma have uncovered a sophisticated malware campaign distributing SpyLend through the Google Play Store. The malicious application, disguised as a legitimate financial tool called “Finance Simplified,” has accumulated over 100,000 downloads and is specifically targeting users in India as part of a broader SpyLoan fraud scheme.
Understanding SpyLend: A Sophisticated Financial Trojan
SpyLend represents a new evolution in financial malware, classified as a SpyLoan-type threat. These applications exploit users’ financial needs by promising quick loan approvals with attractive terms. However, their actual purpose is far more sinister: harvesting sensitive user data for extortion and predatory lending schemes. The malware’s sophisticated architecture and targeted approach demonstrate an advanced level of threat actor capabilities.
Critical Permission Abuse and Data Exfiltration
Upon installation, SpyLend requests an extensive set of dangerous permissions, including:
– Camera access (allegedly for KYC verification)
– Calendar and contacts access
– SMS reading capabilities
– Location tracking
– Device sensor data collection
These permissions enable comprehensive surveillance and data collection capabilities, potentially exposing victims to significant privacy and security risks.
Advanced Evasion Techniques
The malware employs sophisticated methods to bypass Google Play’s security mechanisms. It utilizes WebView technology to redirect users to external domains, where additional malicious APK files hosted on Amazon EC2 servers are downloaded. The malware’s geo-targeting functionality specifically activates its malicious components only for users in India, making detection more challenging.
Broader Campaign Infrastructure
The investigation revealed several related applications part of the same malicious network, including KreditApple, PokketMe, and StashFur. These applications share similar code structures and data theft mechanisms, indicating a coordinated campaign by the threat actors.
While Google has removed Finance Simplified from the Play Store, the threat persists on infected devices. Security experts strongly advise users to implement comprehensive mobile security measures, including regular security audits of installed applications, even those from official sources. Users should immediately remove any applications exhibiting suspicious behavior and monitor their devices for unauthorized data access or unusual network activity. Organizations should update their mobile security policies to address the rising threat of financial malware distributed through legitimate app stores.
