A recently uncovered Android application, Finance Simplified (package: com.someca.count), has made its presence felt on the Google Play Store, masquerading as a financial management tool aimed at Indian users. While it purports to offer an EMI calculator, this app is, in fact, a sophisticated malware platform designed to facilitate predatory lending, data theft, and extortion.
Rapid Spread and Exploitative Practices
The app’s download figures have escalated dramatically, jumping from 50,000 to 100,000 installations within a mere week. Once users install the app, it employs location-based targeting to present unauthorized loan applications via WebView. These applications redirect users to external websites that circumvent Google Play’s security protocols by hosting APK files on off-site servers. Victims find themselves ensnared in exploitative loan agreements, often facing harassment through blackmail tactics, including the creation of deepfake images using their personal photographs.
Technical Mechanisms and Data Breaches
Upon installation, the app requests an alarming array of permissions, including access to location data, contacts, call logs, SMS messages, clipboard content, and external storage. It operates stealthily, gathering sensitive information such as passwords, credit card numbers, and private messages, which are then transmitted to a command-and-control (C2) server hosted on Amazon EC2 infrastructure. Notably, the admin panel of this server supports both English and Chinese languages, hinting at the possible involvement of Chinese-speaking attackers.
Key features of the app’s malicious activities include:
- Dynamic WebView Manipulation: Injecting JavaScript code to present fake loan applications customized to the user’s location.
- Persistent Data Harvesting: Capturing clipboard entries, tracking call logs, extracting contact details (including emails and phone numbers), and monitoring SMS communications.
- Blackmail Tactics: Altering user photos into fake nude images for extortion purposes.
An investigation by Cyfirma has revealed that Finance Simplified is part of a broader network of fraudulent applications, including KreditApple, MoneyAPE, StashFur, and PokketMe. These apps share similar interfaces and privacy policies while falsely claiming registration with Indian financial regulators—a claim disproven by their subsequent removal from the Play Store for fraudulent activities. They employ misleading tactics, such as dynamic privacy policies hosted on external URLs, which can be modified post-installation without user awareness. This allows attackers to inject harmful updates or redirect users to phishing sites.
The emergence of applications like Finance Simplified highlights the increasing sophistication of cybercriminals exploiting mobile platforms. Users are urged to meticulously examine app permissions and refrain from downloading applications from unverified sources, even those available on official platforms like Google Play Store. Organizations are encouraged to adopt robust endpoint security measures and collaborate with app marketplaces to swiftly identify and eliminate malicious applications. This situation serves as a crucial reminder of the pressing need for enhanced cybersecurity awareness in the ongoing battle against financial cybercrime in India and beyond.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here
