An Android application, ‘LoanBee’, which lends money to low-income groups, was found stealing clients’ data. As per a report published by researchers at Cyble Research & Intelligence Labs (CRIL), the app had over 100,000 installations on the Google Play Store and released data of more than 265,000 Indian users online.
According to the report, the digital money lending LoanBee app used stolen data to get the loaned money back and extort more money in the form of unfair and excessive interest rates. Many involved in this money lending scheme used the stolen data to blackmail and harass their clients to recover the loan, Cyble researchers told The Cyber Express.
Sensitive data such as contacts, messages, one-time passwords, and device data are stolen from the device once the app is installed. The device data that gets stolen include IMEI, version, memory details, and OS details.
CRIL researchers shared samples of the leaked data had personally identifiable information such as names, the last time the individual was contacted, the time they were contacted, and so on.
Besides this, the app also seeks 11 other app permissions as shown in the image below:
| Permissions | Description |
| ACCESS_NETWORK_STATE | Allows the app to view information about network connections |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| READ_SMS | Access phone messages |
| READ_CONTACTS | Access phone contacts |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources, such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
| RECEIVE_SMS | Allows an application to receive SMS messages. |
Requested permissions by the LoanBee app (Source: Cyble)
The malware in the LoanBee app was captured while sending system data to its control server using hxxps://api.loanbee[.]tech/v1/collect/upload address. This information can be further misused to make money by selling or leaking it on the dark web. The report confirmed that the app is no longer available on Google Play Store however it can be found on other platforms. App stores like apkcombo.com, apkmonk.com, and apkfollow.com are still host the LoanBee app.
Indicators of compromise
- 8b96a7368b27503e9e0998dde5012c62
- 9c47df8d20fd30dc30bac26ae2c8fe1a7bf1e0ac
- 58d090b5ebf57a6af671a02b3b5719591cf2cb0d28de0ec4ebf2dc5393f79320
Several bot accounts are regularly created and uploaded to app stores. It is also rated highly, with fake reviews and a fan base. CRIL urged users not to download required applications only based on its rating and reviews.
Checking the authenticity of apps on their official website, client base, reviews in other media, etc., can collectively be used to form an opinion about it. Furthermore, they asked users to verify digital money-lending apps on regulatory bodies, including the Reserve Bank of India, and the Securities and Exchange Board of India.
Monitoring the permissions an application seeks and denying those that are not relevant to the app’s services can help limit the reach of applications. Using updated anti-virus software and not opening links that are from unknown sources is recommended. In case of finding any fraudulent transactions, reporting to the bank and cyber crime cell can help get the money back and catch the culprits.
