Fraudulent Digital Lending Andriod App Steals Users’ Sensitive Data

Thousands of Indian User’s Data are being leaked Through the LoanBee App

Fake digital lending apps are growing nowadays and provide short-term loans to users who are especially vulnerable and low income-group people. These fraudulent apps exploit borrowers by charging an excessive interest rate, recovering the loan money in an unethical way, and breaching data privacy. The group behind these fraudulent apps also steals users’ sensitive data for harsh loan recovery by blackmailing and harassing them.

Recently, Cyble Research & Intelligence Labs (CRIL) discovered leaked data of over 26500 Android users from India through the backend server of an Android application called LoanBee. Based on our research, we identified that the LoanBee is a digital lending application that steals users’ sensitive data. This application was primarily hosted on Google Play Store with more than 100,000 installs, and now it has been removed from Google Play Store due to its unusual behavior. The figure below demonstrates the LoanBee application’s removal from the Google Play Store.

Figure 1 -LoanBee App removed from Google Play Store

Though this application has been removed from Google Play Store, it is still available on various third-party app stores such as,, and Refer to figure 2.

Figure 2 – Third-Party App Store Hosting LoanBee App

During successful installation on the Android device, this malicious application steals sensitive information such as device information, saved contacts, and SMSs and uploads the stolen data to the remote server.

The leaked data discovered by CRIL includes saved contact numbers, SMSs, basic device information, etc. The below figure demonstrates the sample of leaked Victim’s Contacts and SMSs data.

Figure 3 – Leaked Contacts and SMSs Data

The image below depicts the part of the leaked victim device’s basic information, including the installed applications list, hardware information, manufacturer details, etc.

Figure 4 – Device Info Leaked Data

Technical Analysis

APK Metadata Information

  • App Name: LoanBee
  • Package Name: com.loanbee
  • SHA256 Hash: 58d090b5ebf57a6af671a02b3b5719591cf2cb0d28de0ec4ebf2dc5393f79320

Figure 5 shows the metadata information of the application.

Figure 5 – App Metadata

Manifest Description

The malware requests 11 different permissions from the user, out of which it abuses at least 7. These dangerous permissions are listed below:

ACCESS_NETWORK_STATEAllows the app to view information about network connections
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
READ_SMSAccess phone messages
READ_CONTACTSAccess phone contacts
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi
ACCESS_FINE_LOCATIONAllows the app to get the precise location of the device using the Global Positioning System (GPS)
RECEIVE_SMSAllows an application to receive SMS messages.

Source Code Review

The malware uses the code snippet below to read the device’s contact data. These data could be misused by the people behind these fraudulent lending apps to blackmail the loan borrowers and threatens them by sending an inappropriate message to their contacts via SMSs, WhatsApp, etc.

Figure 6 – Code to Collect Contacts

The malware uses the code below to collect the SMS data available on the victim’s device. This fraudulent lending group can use stolen SMS data to perform various malicious activities such as stealing contact details, bypassing two-factor authentication, etc.

Figure 7 – Code to Collect SMSs

The image below contains the malware’s code to intercept incoming SMSs. The incoming SMSs can contain One-Time-Password (OTP) and other sensitive information.

Figure 8 – Code to Intercept Incoming SMSs

The code snippet below shows the malware’s capability to collect the victim’s basic device information, such as IMEI, OS info, device type, etc.

Figure 9 – Code to Get Basic Phone Info

The below-shown code flow demonstrates malware uploading device data to the server through the URL: hxxps://api.loanbee[.]tech/v1/collect/upload.

Figure 10 – Code Flow to Send Data to the Server

Below figure 11 depicts the domain information of the URL: hxxps://api.loanbee[.]tech/v1/ through which the data is being uploaded to the server.

Figure 11 – Domain Information of API

The application sends the data collected from the victim’s device to the server through the POST method. Further, the stolen data can be sold through deep/darkweb marketplaces.


In the above analysis, we have demonstrated how a fraudulent digital lending application steals users’ sensitive data. The LoanBee application had installations in lakhs before it was removed from Google Play Store.

In the past, we have seen many instances of illegal loan apps with five-star reviews and the occasional verified badge on the google play store. Still, they were generated automatically by bots to appear legitimate. Users should download digital lending apps by verifying the platform’s registration with regulatory bodies like RBI, SEBI, etc.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Verify the authenticity of the application.
  • Don’t allow permissions if this is not relevant to the application.
  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM cards – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1475
Deliver Malicious App via Other Means.
Deliver Malicious App via Authorized App Store.
ExecutionT1575Native Code
Capture SMS MessagesCapture Contact List
Command and ControlT1436Commonly Used Port

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
8b96a7368b27503e9e0998dde5012c62MD5LoanBee APK
9c47df8d20fd30dc30bac26ae2c8fe1a7bf1e0acSHA1LoanBee APK
SHA256LoanBee APK
hxxps://api.loanbee[.]tech/v1/URLAPI Used to Upload Data

Scroll to Top