"SpyLend" Android malware: blackmail and financial crime from the Play Store
IT researchers report a malware called "SpyLend" from the Google Play Store that blackmails victims with sensitive information.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
IT security researchers have discovered malware from the Google Play Store that has been installed thousands of times. It involves financial crime, blackmailing victims with sensitive data stored on their Android smartphones, for example.
In an analysis, IT researchers from Cyfirma take the malware apart. It is or was available for installation in Google's Play Store under the name "Finance Simplified" from the provider com.someca.count. The other malicious apps have the installation package names "KreditApple.apk" from com.kreditapplepronew.com, "Pokketme.apk" from com.poklaan.frein and "StashFur.apk" from com.stashfurpro.com. According to Cyfirma, the malicious app "Finance Simplified" was still available in the Play Store shortly before the weekend. Now, however, Google shows a 404 error message when trying to access the associated page.
Partial warning: Victims wanted in India
The perpetrators are currently looking for victims in India. The apps are said to make "predatory credit requests". Based on localization, Indian prospects are shown unauthorized credit apps that run within the WebView components, allowing the attackers to bypass the Play Store's protection mechanisms. Once installed, the malware apps collect sensitive user data, attempt to provide them with exploitative loans and implement extortion attempts to extort money.
Videos by heise
The campaign abuses the trust of interested parties in financial tools and app stores. However, it also shows the advanced methods used by criminals to avoid detection and cause significant damage, explain the IT researchers.
The malware app was probably still available in the Google Play Store until the weekend. It achieved between 50,000 and 100,000 installations within just one week, Cyfirma explains. There were numerous complaints in the user comments about the blackmail attempts and the misuse of personal information – including the creation of false nude images based on photos from the smartphones. The command-and-control servers run on Amazon's EC2 cloud systems. Since the admin panel offers English and Chinese, Cyfirma also includes Chinese-speaking attackers. Interested parties can find very detailed insights into the apps' approach in the detailed Cyfirma analysis.
In addition to the apk names and manufacturers in the Play Store, the Cyfirma analysis provides further indications of an infection (Indicators of Compromise, IOCs). These include domain names of command-and-control servers or hashes of the malware .apks. The authors have also provided YARA rules for IT managers.
Time and again, criminals manage to smuggle malware past the security mechanisms of smartphone platform app stores. The platform operators are constantly taking action against this. Google kicked almost 2.4 million apps out of the Play Store in 2024.
(dmk)
