CyberSecurityBoard
Sponsor Register Login

Android App on Google Play Attacking Indian Users To Steal Login Credentials

These loan services, such as KreditApple and MoneyApe, operate outside the Play Store’s scrutiny, redirecting victims to external Amazon EC2 servers to download malicious APKs (KreditApple.apk with SHA-256 fa27aa603eb6807dbc60d5dadc5b8f9b9290099f). Cybersecurity firm CYFIRMA uncovered the operation, revealing a multi-layered attack designed to harvest sensitive data, deploy predatory loan services, and extort victims through blackmail. A sophisticated Android malware campaign dubbed “SpyLend” has infiltrated the Google Play Store, masquerading as a financial utility app to target Indian users. For Indian users, it launches a WebView component loading content from adv[.]rp5[.]org, a domain hosting unauthorized loan applications. A critical evasion tactic involves hosting loan apps on Amazon EC2 instances, bypassing Play Store vetting. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. While the security researchers noted that once installed, SpyLend requests invasive permissions—including access to call logs, SMS, contacts, and the clipboard—under the guise of identity verification. Disguised as “Finance Simplified” (package: com.someca.count), the app has amassed over 100,000 downloads since February 2025, leveraging its official platform presence to bypass user suspicion. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. These APIs deliver loan parameters (interest rates, repayment methods) and track user interactions through app/user/saveVisitor, exfiltrating device metadata and behavioral analytics. Despite Google’s Play Protect safeguards, SpyLend’s use of WebView-delivered content allows real-time payload updates, evading static analysis. Negative reviews on the Play Store highlight complaints of data misuse, though the app remains available as of February 24, 2025. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. By dynamically injecting JavaScript code, SpyLend fetches loan application listings via endpoints such as app/product/app/list and app/loan/config. Users reporting harassment and blackmail cite threats involving manipulated photos, fake nude images, and demands for payment. CYFIRMA’s YARA rules (detecting hashes like 95a44305f9162352eddbb31e3ea03d7e) and MITRE ATT&CK mappings emphasize defense evasion (T1628) and credential access (T1414). As financial malware evolves, collaborative efforts between app stores and cybersecurity entities remain critical to disrupting these threats.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 24 Feb 2025 15:05:14 +0000


Cyber News related to Android App on Google Play Attacking Indian Users To Steal Login Credentials

The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
1 year ago Securityboulevard.com
AutoSpill attack steals credentials from Android password managers - Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International ...
1 year ago Bleepingcomputer.com
Android 15, Google Play get new anti-malware and anti-fraud features - Today, Google announced new security features coming to Android 15 and Google Play that will help block scams, fraud, and malware apps on users' devices. Announced at Google I/O 2024, the new features are designed not only to help end users but also ...
9 months ago Bleepingcomputer.com
Android App on Google Play Attacking Indian Users To Steal Login Credentials - These loan services, such as KreditApple and MoneyApe, operate outside the Play Store’s scrutiny, redirecting victims to external Amazon EC2 servers to download malicious APKs (KreditApple.apk with SHA-256 fa27aa603eb6807dbc60d5dadc5b8f9b9290099f). ...
2 weeks ago Cybersecuritynews.com
Google promises a rescue patch for Android 14's "ransomware" bug - So Android 14 has this pretty horrible storage bug for upgrading users. Bugs are always going to happen, but the big problem with this is that Google has seemingly been ignoring it, and on Friday we wrote about how users have been piling up hundreds ...
1 year ago Arstechnica.com
SpyLend Android malware downloaded 100,000 times from Google Play - An Android malware app called SpyLend has been downloaded over 100,000 times from Google Play, where it masqueraded as a financial tool but became a predatory loan app for those in India. The app falls under a group of malicious Android applications ...
2 weeks ago Bleepingcomputer.com
What Is Android System WebView and Should You Uninstall It? | Definition from TechTarget - Android developers use WebView when they want to display webpages or Hypertext Markup Language content in a Google app or other application. Android System WebView is a system component for the Android operating system (OS) that enables Android apps ...
5 months ago Techtarget.com
New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe - The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first surfaced in 2020 and has previously notched victims in the US, Italy, United Kingdom, France, Germany, and other countries. ...
1 year ago Darkreading.com
Avast confirms it tagged Google app as malware on Android phones - Czech cybersecurity company Avast confirmed that its antivirus SDK has been flagging a Google Android app as malware on Huawei, Vivo, and Honor smartphones since Saturday. On affected devices, users were warned to immediately uninstall the Google app ...
1 year ago Bleepingcomputer.com Rocke
BadBox malware disrupted on 500K infected Android devices - The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. HUMAN says it also discovered 24 Android apps in the official app store, ...
1 week ago Bleepingcomputer.com
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
9 months ago Security.googleblog.com Cloak
New Xamalicious Android malware installed 330k times on Google Play - A previously unknown Android backdoor named 'Xamalicious' has infected approximately 338,300 devices via malicious apps on Google Play, Android's official app store. McAfee, a member of the App Defense Alliance, discovered 14 infected apps on Google ...
1 year ago Bleepingcomputer.com
Google Silently Tracks Android Device Even No Apps Opened by User - The research examined cookies, identifiers, and other data stored on Android handsets by Google Play Services, the Google Play Store, and other pre-installed Google apps. When a user searches within the Google Play Store, “sponsored” ...
1 week ago Cybersecuritynews.com
SpyLoan Android malware on Google Play downloaded 12 million times - More than a dozen malicious loan apps, which are generically named SpyLoan, have been downloaded more than 12 million times this year from Google Play but the count is much larger since they are also available on third-party stores and suspicious ...
1 year ago Bleepingcomputer.com Rocke
EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group - For the last several months, there has emerged a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat ...
1 year ago Eff.org
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
9 months ago Bleepingcomputer.com
More Android apps riddled with malware spotted on Google Play - An Android remote access trojan known as VajraSpy was found in 12 malicious applications, six of which were available on Google Play from April 1, 2021, through September 10, 2023. The malicious apps, which have now been removed from Google Play but ...
1 year ago Bleepingcomputer.com Patchwork
How an Indian startup hacked the world - Reuters previously named Appin in a story about Indian cyber mercenaries published last year. This report paints the clearest picture yet of how Appin operated, detailing the world-spanning extent of its business, and international law enforcement's ...
1 year ago Reuters.com
Google shares fix for Pixel phones hit by bad system update - Google has shared a temporary fix for owners of Google Pixel devices that were rendered unusable after installing the January 2024 Google Play system update. As previously reported by BleepingComputer, after the January 2024 Google Play system ...
1 year ago Bleepingcomputer.com
Snowblind malware abuses Android security feature to bypass security - A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data. Snowblind's goal is to repackage a target app to make them ...
8 months ago Bleepingcomputer.com Medusa
Android adware apps on Google Play amass two million installs - Several malicious Google Play Android apps installed over 2 million times push intrusive ads to users while concealing their presence on the infected devices. In their latest monthly mobile threat report, Doctor Web's analysts identified trojans on ...
1 year ago Bleepingcomputer.com Rocke
Google tests blocking side-loaded Android apps with risky permissions - Google has launched a new pilot program to fight financial fraud by blocking the sideloading of Android APK files that request access to risky permissions. An APK is a file format used to distribute Android apps for installation in the operating ...
1 year ago Bleepingcomputer.com
Google Play Apps Promote Unattainable Rewards, Amass 20 Million Downloads - A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices. The applications promote themselves as health, pedometer, and ...
2 years ago Bleepingcomputer.com
Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users - Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU's Digital Markets ...
1 year ago Cysecurity.news
Google To Pay $700m To Consumers In US Antitrust Settlement - Google agrees to pay $700m to US consumers in antitrust settlement with users and states as Epic presses to 'open Android ecosystem'. Google is to pay $700 million and allow more competition in its Play app store as part of an antitrust settlement ...
1 year ago Silicon.co.uk

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)