FOCUS MODE
EXTRACT IOC
Threat Research

SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion

Cyfirma
SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion
This report discusses the malicious Android app “SpyLend,” disguised as a legitimate finance application. It exploits location-based targeting to facilitate predatory lending practices against Indian users, leading to data harvesting and potential extortion. The findings emphasize the ongoing risks associated with questionable mobile applications available on platforms like the Google Play Store. Affected: Android users, financial sector, app development community

Keypoints :

  • The app “Finance Simplified” is available on the Google Play Store despite being malicious.
  • Downloads surged from 50,000 to 100,000 within a week.
  • User reviews report blackmail, harassment, and misuse of personal data.
  • Utilizes location-based targeting to show fake loan applications specifically for Indian users.
  • The app downloads additional APKs from external sources, bypassing safety checks.
  • Photos, videos, and personal contacts are accessed and potentially exploited.
  • A custom Command & Control (C2) infrastructure is utilized by the attackers.
  • Threatening behaviors include creating fake nude images for extortion.
  • Multiple endpoints are active for dynamic content loading and user tracking.

MITRE Techniques :

  • Initial Access (TA0027) – T1474: Supply Chain Compromise
  • Persistence (TA0028) – T1541: Foreground Persistence
  • Persistence (TA0028) – T1603: Scheduled Task/Job
  • Defense Evasion (TA0030) – T1628: Hide Artifacts
  • Credential Access (TA0031) – T1414: Clipboard Data
  • Discovery (TA0032) – T1420: File and Directory Discovery
  • Collection (TA0035) – T1414: Clipboard Data, T1636.002: Call Log, T1636.003: Contact List
  • Command and Control (TA0037) – T1437: Application Layer Protocol
  • Exfiltration (TA0036) – T1646: Exfiltration Over C2 Channel

Indicator of Compromise :

  • [File] 95a44305f9162352eddbb31e3ea03d7e826ba67 (Finance Simplified.apk)
  • [File] fa27aa603eb6807dbc60d5dadc5b8f9b9290099f (KreditApple.apk)
  • [File] ce8461cb0f4ecebf943ef6fedbcc05331cdee21ded860f38fe05487b32efb48b (Pokketme.apk)
  • [File] ba8a7273e79e5d812244c53f1bc591ddbc6f56 (StashFur.apk)
  • [IP] 16.163.9.142


Full Story: https://www.cyfirma.com/research/spylend-the-android-app-available-on-google-play-store-enabling-financial-cyber-crime-extortion/

Tags: DISCOVERY, IOS, PENETRATION, COLLECTION, SMS, DEFENSE EVASION, EMAIL, EXFILTRATION