Skip to main content

Malicious Loan App Removed from iOS and Google Play App Store Posed Severe Risks to Users

Medium
Published: Fri Jun 20 2025 (06/20/2025, 19:26:01 UTC)
Source: AlienVault OTX General

Description

A SpyLoan application called 'RapiPlata' was identified on a victim's device, having been downloaded by over 150,000 users from both Google Play and Apple App Store. The app, which ranked in the top 20 finance category in Colombia, had extensive access to sensitive user data, including SMS messages, call logs, calendar events, and installed applications. It uploaded this data to its servers, posing significant risks to users' privacy and financial security. The app's malicious behavior included harassing messages, unauthorized loan approvals, and data theft. Despite its removal from official app stores, it remains accessible through third-party websites. The app is part of a larger SpyLoan malware operation, with similarities to previously identified malicious apps.

AI-Powered Analysis

AILast updated: 06/21/2025, 13:07:45 UTC

Technical Analysis

The threat involves a malicious mobile application named 'RapiPlata,' part of the SpyLoan malware family, which was distributed via both the Google Play Store and Apple App Store before being removed. The app was downloaded by over 150,000 users, primarily in Colombia, where it ranked in the top 20 finance apps. RapiPlata masquerades as a legitimate loan application but performs extensive unauthorized data collection and malicious activities. It gains access to highly sensitive user data, including SMS messages, call logs, calendar events, and lists of installed applications. This data is exfiltrated to attacker-controlled servers, enabling privacy violations and potential financial fraud. The app also engages in harassing users with messages and can approve loans without user consent, indicating a direct financial impact on victims. Despite removal from official app stores, the app remains accessible through third-party websites, increasing the risk of continued infections. The malware shares characteristics with other SpyLoan variants, suggesting a coordinated campaign targeting mobile users with predatory lending and data theft objectives. The indicators of compromise include numerous file hashes and malicious domains used for command and control or data exfiltration. The threat does not require user authentication beyond installation and likely requires user interaction to install, but once installed, it operates stealthily to harvest data and conduct fraudulent activities. No known exploits in the wild are reported, but the app’s presence in official stores prior to removal highlights gaps in app store security and the potential for widespread impact.

Potential Impact

For European organizations, the direct impact of this threat is primarily on individual users rather than enterprise systems, as the malware targets mobile devices through app installations. However, the extensive data theft capabilities pose significant privacy risks, potentially exposing sensitive personal information that could be leveraged for identity theft, financial fraud, or social engineering attacks against European employees or customers. Financial institutions and fintech companies in Europe could face reputational damage if their brand or services are mimicked by similar malicious apps or if their customers fall victim to such scams. Additionally, the persistence of the app on third-party sites increases the risk of infection among European users who download apps outside official stores, especially in countries with high mobile app usage and less stringent app vetting. The unauthorized loan approvals and harassing messages could lead to financial losses for individuals, which may translate into increased fraud claims and regulatory scrutiny for financial service providers. The campaign underscores the importance of mobile security hygiene and vigilance against predatory lending scams, which could be exploited by threat actors targeting vulnerable populations within Europe.

Mitigation Recommendations

1. Implement advanced mobile threat defense (MTD) solutions within corporate mobile device management (MDM) frameworks to detect and block malicious apps, including those sideloaded from third-party sources. 2. Educate employees and users about the risks of downloading apps from unofficial sources and encourage the use of official app stores only. 3. Monitor network traffic for communications with known malicious domains associated with SpyLoan campaigns (e.g., home.parkwaysas.co, t.copii.co, www.dineroya.co) and block these at the perimeter. 4. Employ behavioral analytics on mobile endpoints to detect anomalous activities such as unauthorized SMS scanning, call log access, or unusual calendar event modifications. 5. Financial institutions should enhance fraud detection mechanisms to identify unauthorized loan approvals or transactions potentially linked to malware activity. 6. Collaborate with app store providers and cybersecurity communities to share threat intelligence and expedite removal of malicious apps. 7. Encourage users to regularly review app permissions and uninstall suspicious or unused applications. 8. For organizations with BYOD policies, enforce strict app vetting and restrict installation of apps with excessive permissions. 9. Conduct regular security awareness campaigns focused on mobile threats and predatory lending scams. 10. Deploy endpoint detection and response (EDR) tools capable of identifying mobile malware behaviors and indicators of compromise related to SpyLoan variants.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.checkpoint.com/research/malicious-loan-app-removed-from-ios-and-google-play-app-store-posed-severe-risks-to-users"]
Adversary
null
Pulse Id
6855b5c90dab89ef85ac3cc1
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashd259acdec1daec1ed50ccb1cb9bfaebc
hashf4113ee0e58704eb6f1199d14feea59d
hash0197e925dc4aefa02f29ba213431273ac94b9d4e
hash5491a6c9dd0369ae835a824c9248ef60094b5a33
hash2093d63e9bd882e0fe4033aa78544481e1ddf7f3d9932b1df6afa08fbeb795f0
hash37086709e265de909df5b84384b934c9f5427f4b636287da6d1f9ecc70c73a9c
hash3f87000c43f3cc2e37019ed590da72ec0c6c663257734095c5fd9306c11a6ce5
hash5a81cfd390f96b1797b65ecf528d6f2dc110a2393192e27c92e7232be8b31efc
hash608ffecca9c20b1b8da704256727225987d2da7223e106e5f2dea3c383bfe6a3
hash99b61add54c2e322f1ab48260197e10a99e1fd039a97744f2d14320c5c0ca646
hashafb116cf99c020419679684035ff7c4e3ecdfce6c8842108c228eef4a13058bd
hashbca3a8a2ef6733e379b4b2e17c4b51f1b2ac147101b3196182c103a64d7059e7
hashcf597690738b875daddb964abc313b34049c76afb001df0f3b8bcd9f3d358826
hashd2413262042fa01e679795298d4541a114a73574c09d93240be64303946fc7f4
hashda6ccef711ad52b598a34de69b4dbefd21242b75a79272463bc66d3935e0e6a2
hashe0028b4cfe4216f49556f4e5b6b5fd62ebd3cbce0ed774efe893e86ee65fb649
hashea453b597cf6610e9a7f4e87e25509d3d48e50f2fbd2cc65f3f641566448511f
hashf13238211b5df56eb8901fb2d8d11355ab4f442f24f45c79b14e60c83a1d48b9
hashf19c438d98921e5cb468395228fe51f98eb1670a20b3f7cad40783cc5a6156ca

Domain

ValueDescriptionCopy
domainhome.parkwaysas.co
domaint.copii.co
domainwww.dineroya.co

Threat ID: 68568e6baded773421b59a96

Added to database: 6/21/2025, 10:50:19 AM

Last enriched: 6/21/2025, 1:07:45 PM

Last updated: 8/18/2025, 12:19:36 AM

Views: 51

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats