Thousands of Indian User’s Data are being leaked Through the LoanBee App
Fake digital lending apps are growing nowadays and provide short-term loans to users who are especially vulnerable and low income-group people. These fraudulent apps exploit borrowers by charging an excessive interest rate, recovering the loan money in an unethical way, and breaching data privacy. The group behind these fraudulent apps also steals users’ sensitive data for harsh loan recovery by blackmailing and harassing them.
Recently, Cyble Research & Intelligence Labs (CRIL) discovered leaked data of over 26500 Android users from India through the backend server of an Android application called LoanBee. Based on our research, we identified that the LoanBee is a digital lending application that steals users’ sensitive data. This application was primarily hosted on Google Play Store with more than 100,000 installs, and now it has been removed from Google Play Store due to its unusual behavior. The figure below demonstrates the LoanBee application’s removal from the Google Play Store.
Though this application has been removed from Google Play Store, it is still available on various third-party app stores such as apkcombo.com, apkmonk.com, and apkfollow.com. Refer to figure 2.
During successful installation on the Android device, this malicious application steals sensitive information such as device information, saved contacts, and SMSs and uploads the stolen data to the remote server.
The leaked data discovered by CRIL includes saved contact numbers, SMSs, basic device information, etc. The below figure demonstrates the sample of leaked Victim’s Contacts and SMSs data.
The image below depicts the part of the leaked victim device’s basic information, including the installed applications list, hardware information, manufacturer details, etc.
Technical Analysis
APK Metadata Information
- App Name: LoanBee
- Package Name: com.loanbee
- SHA256 Hash: 58d090b5ebf57a6af671a02b3b5719591cf2cb0d28de0ec4ebf2dc5393f79320
Figure 5 shows the metadata information of the application.
Manifest Description
The malware requests 11 different permissions from the user, out of which it abuses at least 7. These dangerous permissions are listed below:
| Permissions | Description |
| ACCESS_NETWORK_STATE | Allows the app to view information about network connections |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| READ_SMS | Access phone messages |
| READ_CONTACTS | Access phone contacts |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
Source Code Review
The malware uses the code snippet below to read the device’s contact data. These data could be misused by the people behind these fraudulent lending apps to blackmail the loan borrowers and threatens them by sending an inappropriate message to their contacts via SMSs, WhatsApp, etc.
The malware uses the code below to collect the SMS data available on the victim’s device. This fraudulent lending group can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.
The image below contains the malware’s code to intercept incoming SMSs. The incoming SMSs can contain One-Time-Password (OTP) and other sensitive information.
The code snippet below shows the malware’s capability to collect the victim’s basic device information, such as IMEI, OS info, device type, etc.
The below-shown code flow demonstrates malware uploading device data to the server through the URL: hxxps://api.loanbee[.]tech/v1/collect/upload.
Below figure 11 depicts the domain information of the URL: hxxps://api.loanbee[.]tech/v1/ through which the data is being uploaded to the server.
The application sends the data collected from the victim’s device to the server through the POST method. Further, the stolen data can be sold through deep/darkweb marketplaces.
Conclusion
In the above analysis, we have demonstrated how a fraudulent digital lending application steals users’ sensitive data. The LoanBee application had installations in lakhs before it was removed from Google Play Store.
In the past, we have seen many instances of illegal loan apps with five-star reviews and the occasional verified badge on the google play store. Still, they were generated automatically by bots to appear legitimate. Users should download digital lending apps by verifying the platform’s registration with regulatory bodies like RBI, SEBI, etc.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Verify the authenticity of the application.
- Don’t allow permissions if this is not relevant to the application.
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1475 T1476 | Deliver Malicious App via Other Means. Deliver Malicious App via Authorized App Store. |
| Execution | T1575 | Native Code |
| Collection | T1636.004 T1636.003 | Capture SMS MessagesCapture Contact List |
| Command and Control | T1436 | Commonly Used Port |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 8b96a7368b27503e9e0998dde5012c62 | MD5 | LoanBee APK |
| 9c47df8d20fd30dc30bac26ae2c8fe1a7bf1e0ac | SHA1 | LoanBee APK |
| 58d090b5ebf57a6af671a02b3b5719591cf2cb0d2 8de0ec4ebf2dc5393f79320 | SHA256 | LoanBee APK |
| hxxps://api.loanbee[.]tech/v1/ | URL | API Used to Upload Data |
