MEGALO-(414E)-DON: uncovering data espionage, blackmailing and shell companies in mobile lending apps

Friday 6 October 11:30 - 12:00, Red room

Jagadeesh Chandraiah (Sophos)

Years of pandemic, lockdowns, the cost-of-living crisis and rising inflation have taken money out of people’s pockets, especially in developing nations, pushing an increasing number of people to rely on taking out personal loans. Traditional banks have been tightening their lending policies – borrowers need good credit scores, and in some countries they even ask for collateral to lend money in this tough economic climate. Spotting a gap in the market, several malevolent mobile lending applications have arisen to lend to individuals when they are in a vulnerable situation.

Mobile lending applications have been a problem on app platforms for years, with few legitimate apps and several fraudulent ones. Researchers have been finding lending applications that have been violating policies for years. App platforms have brought in several policy updates to curb illegal applications, but they circumvent these policies with fake information and have been thriving more than ever, particularly in the Google Play store, due to Android having a higher market share in developing nations.

These lending apps claim to charge low interest and have longer repayment schedules, but in reality, have shorter repayment schedules ranging from seven days to a few weeks. Besides that, they collect vast amounts of personal data, identity details, device information, contacts, locations, SMS and call logs, and store these details in unknown third-party locations, violating various data regulations. Some countries even classify these as hostile. When victims fail to repay within a short duration, they start charging high interest and abuse their personal data by threatening to send sensitive data to friends/relatives on the contact list, post on social media and make threatening calls. Several people have lost lives through suicide, unable to bear the torture of the agents.

Technology wise, they have a sophisticated infrastructure with professional-looking websites, use app frameworks, packers to evade app platform policies, create fake banking regulation certificates on websites to fool users and drive user traffic through social media and Telegram groups.

In this presentation we will:

• Describe the modus operandi of the lending applications with a video demo.
• Expose how they violate and circumvent app platform policies.
• Provide a technical analysis of how apps collect data and discuss the packers and frameworks used for app implementation.
• Uncover how the threat actor exploits local citizens using defunct finance organizations and shell companies to steal profits.
• Explain why this is data espionage and why some countries consider these apps as hostile.
• Discuss website infrastructures and how they use fake bank certificates to convince users.
• Reveal social media, Telegram groups and fake platforms used to attract victims.

• Download paper for this talk

Jagadeesh Chandraiah Jagadeesh Chandraiah is a senior malware researcher at SophosLabs, specializing in mobile malware analysis. He has been working at SophosLabs for over 10 years. He started working on Windows malware analysis and is currently focusing on mobile malware analysis. He has a Master’s degree in computer systems security from the University of South Wales. Jagadeesh likes to track malware, research and find novel ways to detect and remediate them. He is a frequent contributor to the Sophos X-Ops blog and has written blog posts about several mobile malware topics. He also regularly presents his research at international security conferences and in the past has presented his research at DeepSec, AVAR, CARO, and Virus Bulletin. Outside of work, Jagadeesh enjoys playing badminton.

Back to VB2023 Programme page

Back to VB2023 conference page

Register for VB2023

Other VB2023 papers