SYDNEY, December 1, 2022 โย Lookout, Inc., the endpoint to cloud security company, today announced the discovery of nearly 300 loan apps that exhibit predatory behaviour such as exfiltrating excessive user data from mobile devices and harassing borrowers for repayment.
These apps, which were found in Africa and Southeast Asia, as well as India, Colombia, and Mexico, purportedly offer quick, fully-digital loan approvals with reasonable loan terms. In reality, they exploit victimsโ desire for quick cash in an attempt to ensnare borrowers into predatory loan contracts and require them to grant access to sensitive information on their device such as contacts, phone history, and SMS messages โ information that would not be required in a valid loan application process.
In addition to predatory requests for excessive permissions, many of the loan operators display scam-like actions. Victims have reported that their loans came with hidden fees, high interest rates, and repayment terms that were much less favourable than what was posted on the app stores.ย Lookout Threat Labย also found evidence that the data exfiltrated from devices was sometimes used to pressure the customer for repayment โ a common threat tactic to disclose a borrowerโs debt or other personal information to their network of contacts.
In total, Lookout researchers uncovered 251 Android apps on the Google Play Store with more than 15 million collective downloads. The team also identified 35 apps on the Apple App Store that were in the top 100 finance apps in their regional stores. Lookout has been in contact with Google and Apple about these apps and, at the time of publishing, none of them are available for download.
โMobile apps have made managing our lives a lot easier and are a convenient way to interact with businesses such as financial institutions. However, when entrusting any app with sensitive personal information, it is extremely important to stop and ask yourself if the information being requested makes sense and if the business behind the app is a trusted entity,โ said Ruohan Xiong, senior security intelligence researcher, Lookout. โAs these predatory loan apps have demonstrated, app permissions could easily be abused if users are not careful. While there are likely dozens of independent operators involved, all of these loan apps have a very similar business model โ to trick victims into unfair loan terms and then extort payment.โ
Customers ofย Lookout Mobile Endpoint Securityย andย Lookoutย Personal Digital Safetyย are protected from these threats. Even though these apps have been taken offline, Lookout recommends that consumers exercise caution when it comes to engaging with online businesses, including financial institutions.
Additional Resources:
- To learn more, visitย www.lookout.com.
- Sign up for a complimentaryย Data Risk Assessment.
- Follow Lookout on itsย blog,ย LinkedInย andย Twitter.
- Listen and subscribeย to Security Soapbox, the Lookout podcast covering privacy, security, and everything in between.
ย
About Lookout
Lookout, Inc. is the endpoint to cloud security company purpose-built for the intersection of enterprise and personal data. We safeguard data across devices, apps, networks and clouds through our unified, cloud-native security platform โ a solution thatโs as fluid and flexible as the modern digital world.ย By giving organisations and individuals greater control over their data, we enable them to unleash its value and thrive.ย Lookout is trusted by enterprises of all sizes, government agencies and millions of consumers to protect sensitive data, enabling them to live, work and connect โ freely and safely. To learn more about the Lookout Cloud Security Platform, visitย www.lookout.comย and follow Lookout on ourย blog,ย LinkedInย andย Twitter.
Contact Lookout PR:ย press@lookout.com
ยฉ 2022 Lookout, Inc. LOOKOUTยฎ, the Lookout Shield Designยฎ, LOOKOUT with Shield Designยฎ, SCREAMยฎ, and SIGNAL FLAREยฎ are registered trademarks of Lookout, Inc. in the United States and other countries. EVERYTHING IS OKยฎ, LOOKOUT MOBILE SECURITYยฎ and POWERED BY LOOKOUTยฎ are registered trademarks of Lookout, Inc. in the United States; and POST PERIMETER SECURITY ALLIANCEโข is a trademark of Lookout, Inc. All other brand and product names are trademarks or registered trademarks of their respective holders.