Malicious Loan App Removed from iOS and Google Play App Store Posed Severe Risks to Users
A SpyLoan application called 'RapiPlata' was identified on a victim's device, having been downloaded by over 150,000 users from both Google Play and Apple App Store. The app, which ranked in the top 20 finance category in Colombia, had extensive access to sensitive user data, including SMS messages, call logs, calendar events, and installed applications. It uploaded this data to its servers, posing significant risks to users' privacy and financial security. The app's malicious behavior included harassing messages, unauthorized loan approvals, and data theft. Despite its removal from official app stores, it remains accessible through third-party websites. The app is part of a larger SpyLoan malware operation, with similarities to previously identified malicious apps.
AI Analysis
Technical Summary
The threat involves a malicious mobile application named 'RapiPlata,' part of the SpyLoan malware family, which was distributed via both the Google Play Store and Apple App Store before being removed. The app was downloaded by over 150,000 users, primarily in Colombia, where it ranked in the top 20 finance apps. RapiPlata masquerades as a legitimate loan application but performs extensive unauthorized data collection and malicious activities. It gains access to highly sensitive user data, including SMS messages, call logs, calendar events, and lists of installed applications. This data is exfiltrated to attacker-controlled servers, enabling privacy violations and potential financial fraud. The app also engages in harassing users with messages and can approve loans without user consent, indicating a direct financial impact on victims. Despite removal from official app stores, the app remains accessible through third-party websites, increasing the risk of continued infections. The malware shares characteristics with other SpyLoan variants, suggesting a coordinated campaign targeting mobile users with predatory lending and data theft objectives. The indicators of compromise include numerous file hashes and malicious domains used for command and control or data exfiltration. The threat does not require user authentication beyond installation and likely requires user interaction to install, but once installed, it operates stealthily to harvest data and conduct fraudulent activities. No known exploits in the wild are reported, but the app’s presence in official stores prior to removal highlights gaps in app store security and the potential for widespread impact.
Potential Impact
For European organizations, the direct impact of this threat is primarily on individual users rather than enterprise systems, as the malware targets mobile devices through app installations. However, the extensive data theft capabilities pose significant privacy risks, potentially exposing sensitive personal information that could be leveraged for identity theft, financial fraud, or social engineering attacks against European employees or customers. Financial institutions and fintech companies in Europe could face reputational damage if their brand or services are mimicked by similar malicious apps or if their customers fall victim to such scams. Additionally, the persistence of the app on third-party sites increases the risk of infection among European users who download apps outside official stores, especially in countries with high mobile app usage and less stringent app vetting. The unauthorized loan approvals and harassing messages could lead to financial losses for individuals, which may translate into increased fraud claims and regulatory scrutiny for financial service providers. The campaign underscores the importance of mobile security hygiene and vigilance against predatory lending scams, which could be exploited by threat actors targeting vulnerable populations within Europe.
Mitigation Recommendations
1. Implement advanced mobile threat defense (MTD) solutions within corporate mobile device management (MDM) frameworks to detect and block malicious apps, including those sideloaded from third-party sources. 2. Educate employees and users about the risks of downloading apps from unofficial sources and encourage the use of official app stores only. 3. Monitor network traffic for communications with known malicious domains associated with SpyLoan campaigns (e.g., home.parkwaysas.co, t.copii.co, www.dineroya.co) and block these at the perimeter. 4. Employ behavioral analytics on mobile endpoints to detect anomalous activities such as unauthorized SMS scanning, call log access, or unusual calendar event modifications. 5. Financial institutions should enhance fraud detection mechanisms to identify unauthorized loan approvals or transactions potentially linked to malware activity. 6. Collaborate with app store providers and cybersecurity communities to share threat intelligence and expedite removal of malicious apps. 7. Encourage users to regularly review app permissions and uninstall suspicious or unused applications. 8. For organizations with BYOD policies, enforce strict app vetting and restrict installation of apps with excessive permissions. 9. Conduct regular security awareness campaigns focused on mobile threats and predatory lending scams. 10. Deploy endpoint detection and response (EDR) tools capable of identifying mobile malware behaviors and indicators of compromise related to SpyLoan variants.
Affected Countries
Spain, Italy, France, Germany, United Kingdom, Portugal, Belgium
Indicators of Compromise
- hash: d259acdec1daec1ed50ccb1cb9bfaebc
- hash: f4113ee0e58704eb6f1199d14feea59d
- hash: 0197e925dc4aefa02f29ba213431273ac94b9d4e
- hash: 5491a6c9dd0369ae835a824c9248ef60094b5a33
- hash: 2093d63e9bd882e0fe4033aa78544481e1ddf7f3d9932b1df6afa08fbeb795f0
- hash: 37086709e265de909df5b84384b934c9f5427f4b636287da6d1f9ecc70c73a9c
- hash: 3f87000c43f3cc2e37019ed590da72ec0c6c663257734095c5fd9306c11a6ce5
- hash: 5a81cfd390f96b1797b65ecf528d6f2dc110a2393192e27c92e7232be8b31efc
- hash: 608ffecca9c20b1b8da704256727225987d2da7223e106e5f2dea3c383bfe6a3
- hash: 99b61add54c2e322f1ab48260197e10a99e1fd039a97744f2d14320c5c0ca646
- hash: afb116cf99c020419679684035ff7c4e3ecdfce6c8842108c228eef4a13058bd
- hash: bca3a8a2ef6733e379b4b2e17c4b51f1b2ac147101b3196182c103a64d7059e7
- hash: cf597690738b875daddb964abc313b34049c76afb001df0f3b8bcd9f3d358826
- hash: d2413262042fa01e679795298d4541a114a73574c09d93240be64303946fc7f4
- hash: da6ccef711ad52b598a34de69b4dbefd21242b75a79272463bc66d3935e0e6a2
- hash: e0028b4cfe4216f49556f4e5b6b5fd62ebd3cbce0ed774efe893e86ee65fb649
- hash: ea453b597cf6610e9a7f4e87e25509d3d48e50f2fbd2cc65f3f641566448511f
- hash: f13238211b5df56eb8901fb2d8d11355ab4f442f24f45c79b14e60c83a1d48b9
- hash: f19c438d98921e5cb468395228fe51f98eb1670a20b3f7cad40783cc5a6156ca
- domain: home.parkwaysas.co
- domain: t.copii.co
- domain: www.dineroya.co
Malicious Loan App Removed from iOS and Google Play App Store Posed Severe Risks to Users
Description
A SpyLoan application called 'RapiPlata' was identified on a victim's device, having been downloaded by over 150,000 users from both Google Play and Apple App Store. The app, which ranked in the top 20 finance category in Colombia, had extensive access to sensitive user data, including SMS messages, call logs, calendar events, and installed applications. It uploaded this data to its servers, posing significant risks to users' privacy and financial security. The app's malicious behavior included harassing messages, unauthorized loan approvals, and data theft. Despite its removal from official app stores, it remains accessible through third-party websites. The app is part of a larger SpyLoan malware operation, with similarities to previously identified malicious apps.
AI-Powered Analysis
Technical Analysis
The threat involves a malicious mobile application named 'RapiPlata,' part of the SpyLoan malware family, which was distributed via both the Google Play Store and Apple App Store before being removed. The app was downloaded by over 150,000 users, primarily in Colombia, where it ranked in the top 20 finance apps. RapiPlata masquerades as a legitimate loan application but performs extensive unauthorized data collection and malicious activities. It gains access to highly sensitive user data, including SMS messages, call logs, calendar events, and lists of installed applications. This data is exfiltrated to attacker-controlled servers, enabling privacy violations and potential financial fraud. The app also engages in harassing users with messages and can approve loans without user consent, indicating a direct financial impact on victims. Despite removal from official app stores, the app remains accessible through third-party websites, increasing the risk of continued infections. The malware shares characteristics with other SpyLoan variants, suggesting a coordinated campaign targeting mobile users with predatory lending and data theft objectives. The indicators of compromise include numerous file hashes and malicious domains used for command and control or data exfiltration. The threat does not require user authentication beyond installation and likely requires user interaction to install, but once installed, it operates stealthily to harvest data and conduct fraudulent activities. No known exploits in the wild are reported, but the app’s presence in official stores prior to removal highlights gaps in app store security and the potential for widespread impact.
Potential Impact
For European organizations, the direct impact of this threat is primarily on individual users rather than enterprise systems, as the malware targets mobile devices through app installations. However, the extensive data theft capabilities pose significant privacy risks, potentially exposing sensitive personal information that could be leveraged for identity theft, financial fraud, or social engineering attacks against European employees or customers. Financial institutions and fintech companies in Europe could face reputational damage if their brand or services are mimicked by similar malicious apps or if their customers fall victim to such scams. Additionally, the persistence of the app on third-party sites increases the risk of infection among European users who download apps outside official stores, especially in countries with high mobile app usage and less stringent app vetting. The unauthorized loan approvals and harassing messages could lead to financial losses for individuals, which may translate into increased fraud claims and regulatory scrutiny for financial service providers. The campaign underscores the importance of mobile security hygiene and vigilance against predatory lending scams, which could be exploited by threat actors targeting vulnerable populations within Europe.
Mitigation Recommendations
1. Implement advanced mobile threat defense (MTD) solutions within corporate mobile device management (MDM) frameworks to detect and block malicious apps, including those sideloaded from third-party sources. 2. Educate employees and users about the risks of downloading apps from unofficial sources and encourage the use of official app stores only. 3. Monitor network traffic for communications with known malicious domains associated with SpyLoan campaigns (e.g., home.parkwaysas.co, t.copii.co, www.dineroya.co) and block these at the perimeter. 4. Employ behavioral analytics on mobile endpoints to detect anomalous activities such as unauthorized SMS scanning, call log access, or unusual calendar event modifications. 5. Financial institutions should enhance fraud detection mechanisms to identify unauthorized loan approvals or transactions potentially linked to malware activity. 6. Collaborate with app store providers and cybersecurity communities to share threat intelligence and expedite removal of malicious apps. 7. Encourage users to regularly review app permissions and uninstall suspicious or unused applications. 8. For organizations with BYOD policies, enforce strict app vetting and restrict installation of apps with excessive permissions. 9. Conduct regular security awareness campaigns focused on mobile threats and predatory lending scams. 10. Deploy endpoint detection and response (EDR) tools capable of identifying mobile malware behaviors and indicators of compromise related to SpyLoan variants.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.checkpoint.com/research/malicious-loan-app-removed-from-ios-and-google-play-app-store-posed-severe-risks-to-users"]
- Adversary
- null
- Pulse Id
- 6855b5c90dab89ef85ac3cc1
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hashd259acdec1daec1ed50ccb1cb9bfaebc | — | |
hashf4113ee0e58704eb6f1199d14feea59d | — | |
hash0197e925dc4aefa02f29ba213431273ac94b9d4e | — | |
hash5491a6c9dd0369ae835a824c9248ef60094b5a33 | — | |
hash2093d63e9bd882e0fe4033aa78544481e1ddf7f3d9932b1df6afa08fbeb795f0 | — | |
hash37086709e265de909df5b84384b934c9f5427f4b636287da6d1f9ecc70c73a9c | — | |
hash3f87000c43f3cc2e37019ed590da72ec0c6c663257734095c5fd9306c11a6ce5 | — | |
hash5a81cfd390f96b1797b65ecf528d6f2dc110a2393192e27c92e7232be8b31efc | — | |
hash608ffecca9c20b1b8da704256727225987d2da7223e106e5f2dea3c383bfe6a3 | — | |
hash99b61add54c2e322f1ab48260197e10a99e1fd039a97744f2d14320c5c0ca646 | — | |
hashafb116cf99c020419679684035ff7c4e3ecdfce6c8842108c228eef4a13058bd | — | |
hashbca3a8a2ef6733e379b4b2e17c4b51f1b2ac147101b3196182c103a64d7059e7 | — | |
hashcf597690738b875daddb964abc313b34049c76afb001df0f3b8bcd9f3d358826 | — | |
hashd2413262042fa01e679795298d4541a114a73574c09d93240be64303946fc7f4 | — | |
hashda6ccef711ad52b598a34de69b4dbefd21242b75a79272463bc66d3935e0e6a2 | — | |
hashe0028b4cfe4216f49556f4e5b6b5fd62ebd3cbce0ed774efe893e86ee65fb649 | — | |
hashea453b597cf6610e9a7f4e87e25509d3d48e50f2fbd2cc65f3f641566448511f | — | |
hashf13238211b5df56eb8901fb2d8d11355ab4f442f24f45c79b14e60c83a1d48b9 | — | |
hashf19c438d98921e5cb468395228fe51f98eb1670a20b3f7cad40783cc5a6156ca | — |
Domain
Value | Description | Copy |
---|---|---|
domainhome.parkwaysas.co | — | |
domaint.copii.co | — | |
domainwww.dineroya.co | — |
Threat ID: 68568e6baded773421b59a96
Added to database: 6/21/2025, 10:50:19 AM
Last enriched: 6/21/2025, 1:07:45 PM
Last updated: 8/18/2025, 5:18:23 PM
Views: 52
Related Threats
“Vibe Hacking”: Abusing Developer Trust in Cursor and VS Code Remote Development
MediumSupply Chain Risk in Python: Termcolor and Colorama Explained
MediumMicrosoft 365 Direct Send Abuse: Phishing Risks & Security Recommendations
MediumThreat Actor Claims to Sell 15.8 Million Plain-Text PayPal Credentials
MediumElastic EDR 0-day: Microsoft-signed driver can be weaponized to attack its own host
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.