TRENDING

TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare | EducationTARGETED COUNTRIES -> United States | Russian Federation | China | United Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia & Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand (ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 | 7bdbd180c081fa63ca94f9c22c457376 | 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 | 2915b3f8b703eb744fc54c81f4a9c67f | 2.2.2.2CVEs -> CVE-2024-21887 | CVE-2023-46805 | CVE-2024-21893 | CVE-2024-21412 | CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1083 | T1486 | T1105TACTICS -> TA0011 | TA0007 | TA0010 | TA577 | TA0005TAGS -> security | the-cyber-express | firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit | Blackcat | VoltTyphoon | Lazarus | MidnightBlizzardMALWARE -> CobaltStrike | Mirai | Lockbit | Xmrig | DarkgateSOURCES -> Darkreading | Bleepingcomputer | The Hacker News | The Cyber Express | Infosecurity Magazine
Cyble-Blogs-Lending-AndriodApp

Fraudulent Digital Lending Andriod App Steals Users’ Sensitive Data

Cyble Research and Intelligence Labs analyzes how fraudulent digital lending app steals users' sensitive information.
Odin ad

Thousands of Indian User’s Data are being leaked Through the LoanBee App

 

Fake digital lending apps are growing nowadays and provide short-term loans to users who are especially vulnerable and low income-group people. These fraudulent apps exploit borrowers by charging an excessive interest rate, recovering the loan money in an unethical way, and breaching data privacy. The group behind these fraudulent apps also steals users’ sensitive data for harsh loan recovery by blackmailing and harassing them.

Recently, Cyble Research & Intelligence Labs (CRIL) discovered leaked data of over 26500 Android users from India through the backend server of an Android application called LoanBee. Based on our research, we identified that the LoanBee is a digital lending application that steals users’ sensitive data. This application was primarily hosted on Google Play Store with more than 100,000 installs, and now it has been removed from Google Play Store due to its unusual behavior. The figure below demonstrates the LoanBee application’s removal from the Google Play Store.

 

Figure 1 LoanBee App removed from Google Play Store
Figure 1 -LoanBee App removed from Google Play Store

 

Though this application has been removed from Google Play Store, it is still available on various third-party app stores such as apkcombo.com, apkmonk.com, and apkfollow.com. Refer to figure 2.

 

Figure 2 Third Party App Store Hosting LoanBee App
Figure 2 – Third-Party App Store Hosting LoanBee App

 

During successful installation on the Android device, this malicious application steals sensitive information such as device information, saved contacts, and SMSs and uploads the stolen data to the remote server.

The leaked data discovered by CRIL includes saved contact numbers, SMSs, basic device information, etc. The below figure demonstrates the sample of leaked Victim’s Contacts and SMSs data.

 

Figure 3 – Leaked Contacts and SMSs Data
Figure 3 – Leaked Contacts and SMSs Data

 

The image below depicts the part of the leaked victim device’s basic information, including the installed applications list, hardware information, manufacturer details, etc.

 

Figure 4 Device Info Leaked Data
Figure 4 – Device Info Leaked Data

 

Technical Analysis

 

APK Metadata Information

  • App Name: LoanBee
  • Package Name: com.loanbee
  • SHA256 Hash: 58d090b5ebf57a6af671a02b3b5719591cf2cb0d28de0ec4ebf2dc5393f79320

Figure 5 shows the metadata information of the application.

 

Figure 5 App Metadata
Figure 5 – App Metadata

 

Manifest Description

 

The malware requests 11 different permissions from the user, out of which it abuses at least 7. These dangerous permissions are listed below:

Permissions Description
ACCESS_NETWORK_STATE Allows the app to view information about network connections
READ_PHONE_STATE Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
READ_SMS Access phone messages
READ_CONTACTS Access phone contacts
ACCESS_COARSE_LOCATION Allows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi
ACCESS_FINE_LOCATION Allows the app to get the precise location of the device using the Global Positioning System (GPS)
RECEIVE_SMS Allows an application to receive SMS messages.

 

Source Code Review

 

The malware uses the code snippet below to read the device’s contact data. These data could be misused by the people behind these fraudulent lending apps to blackmail the loan borrowers and threatens them by sending an inappropriate message to their contacts via SMSs, WhatsApp, etc.

 

Figure 6 Code to Collect Contacts
Figure 6 – Code to Collect Contacts

 

The malware uses the code below to collect the SMS data available on the victim’s device. This fraudulent lending group can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.

 

Figure 7 Code to Collect SMSs
Figure 7 – Code to Collect SMSs

 

The image below contains the malware’s code to intercept incoming SMSs. The incoming SMSs can contain One-Time-Password (OTP) and other sensitive information.

 

Figure 8 Code to Intercept Incoming SMSs
Figure 8 – Code to Intercept Incoming SMSs

 

The code snippet below shows the malware’s capability to collect the victim’s basic device information, such as IMEI, OS info, device type, etc.

 

Figure 9 Code to Get Basic Phone Info
Figure 9 – Code to Get Basic Phone Info

 

The below-shown code flow demonstrates malware uploading device data to the server through the URL: hxxps://api.loanbee[.]tech/v1/collect/upload.

 

Figure 10 Code Flow to Send Data to the Server
Figure 10 – Code Flow to Send Data to the Server

 

Below figure 11 depicts the domain information of the URL: hxxps://api.loanbee[.]tech/v1/ through which the data is being uploaded to the server.

 

Figure 11 Domain Information of API
Figure 11 – Domain Information of API

 

The application sends the data collected from the victim’s device to the server through the POST method. Further, the stolen data can be sold through deep/darkweb marketplaces.

 

Conclusion

 

In the above analysis, we have demonstrated how a fraudulent digital lending application steals users’ sensitive data. The LoanBee application had installations in lakhs before it was removed from Google Play Store.

In the past, we have seen many instances of illegal loan apps with five-star reviews and the occasional verified badge on the google play store. Still, they were generated automatically by bots to appear legitimate. Users should download digital lending apps by verifying the platform’s registration with regulatory bodies like RBI, SEBI, etc.

 

Our Recommendations

 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

 

  • Verify the authenticity of the application.
  • Don’t allow permissions if this is not relevant to the application.
  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Keep your devices, operating systems, and applications updated.

 

How to identify whether you are infected?

 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

 

What to do when you are infected?

 

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

 

What to do in case of any fraudulent transaction?

 

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

 

MITRE ATT&CK® Techniques

 

Tactic Technique ID Technique Name
Initial Access T1475
T1476		 Deliver Malicious App via Other Means.
Deliver Malicious App via Authorized App Store.
Execution T1575 Native Code
Collection T1636.004
T1636.003		 Capture SMS MessagesCapture Contact List
Command and Control T1436 Commonly Used Port

 

Indicators of Compromise (IOCs)

 

Indicators Indicator Type Description
8b96a7368b27503e9e0998dde5012c62 MD5 LoanBee APK
9c47df8d20fd30dc30bac26ae2c8fe1a7bf1e0ac SHA1 LoanBee APK
58d090b5ebf57a6af671a02b3b5719591cf2cb0d2
8de0ec4ebf2dc5393f79320		 SHA256 LoanBee APK
hxxps://api.loanbee[.]tech/v1/ URL API Used to Upload Data

Share the Post:

Related Posts

Discover more from Cyble

Subscribe now to keep reading and get access to the full archive.

Continue reading

Scroll to Top