A previously undocumented Android malware campaign was observed using money lending apps to extort victims into paying with personal information stolen from their devices.
Mobile security company Zimperium called the activity MoneyMongernoting the use of the cross-platform Flutter framework to develop the apps.
MoneyMonger “uses Flutter’s framework to obfuscate malicious functionality and make it harder to detect malicious activity through static analysis,” said Zimperium researchers Fernando Sanchez, Alex Calleja, Matteo Favaro, and Gianluca Braga in a report shared with The Hacker News was shared.
“Due to the nature of Flutter, the malicious code and malicious activity now hides behind a framework outside of the static analysis capabilities of legacy mobile security products.”
The campaign, believed to have been active since May 2022, is part of a broader effort previously announced by Indian cybersecurity firm K7 Security Labs.
None of the 33 apps used in the deceptive scheme were distributed through the Google Play Store. The money lending applications are instead available through unofficial app stores or get loaded on the phones via smishing, compromised websites, deceptive ads or social media campaigns.
Once installed, the malware poses a risk as it aims to prompt users to grant it intrusive permissions and collect a variety of private information under the pretense of guaranteeing a loan.
The collected data – including GPS locations, SMS, contacts, call logs, files, photos, and audio recordings – are then used as leverage to coerce victims into paying inordinately high interest rates on the loans, sometimes even in post-loan cases will be paid back.
To make matters worse, the threat actors subject borrowers to harassment by threatening to reveal their information, calling people from the contact list, and sending abusive messages and morphed photos from the infected devices.
The scale of the campaign is unclear due to the use of sideloading and third-party app stores, but the rogue apps are estimated to have amassed over 100,000 downloads via the distribution vector.
“The very novel MoneyMonger malware campaign underscores a growing trend of malicious actors scamming victims out of money through blackmail and threats,” said Richard Melick, Zimperium’s director of mobile threat intelligence, in a statement.
“Quick loan programs are often full of predatory models like high interest rates and repayment models, but adding extortion into the equation increases the level of nastiness.”
The findings come two weeks after Lookout discovered nearly 300 mobile loan applications on Google Play and Apple’s App Store that have combined more than 15 million downloads and were found to be engaging in predatory behavior.
Not only do these apps extract extraordinary amounts of user data, but they also come with hidden fees, high interest rates, and payment terms that are used to coerce victims into paying fraudulent loans.
“They exploit victims’ desire for a quick buck to trick borrowers into predatory loan agreements and require them to give access to sensitive information like contacts and text messages,” Lookout noted late last month.
Developing countries are a prime target for shady lending apps, as digital lending has seen explosive growth in markets like India, where people unknowingly turn to such platforms after being turned away by banks for failing to meet income requirements.
The exploitative nature of personal loan terms has also led to several cases of suicide in the country and prompted the Indian government to start work on an allow list of legal digital loan apps to be allowed in app stores.
Google announced in August that it had removed more than 2,000 loan-payout apps from its Play Store in India since the beginning of the year for violating its terms.
The government has also urged tough law enforcement action against credit apps, most of which are controlled by China and found to use harassment, extortion and harsh recovery techniques.
