1.0 Introduction

On 29 November 2020, Jabatan Perlindungan Data Peribadi (JPDP) had released a press statement on receiving multiple reports on Unlicensed Online Loan Provider collecting and misusing personal data through mobile loan applications. With cooperation of JPDP, CyberSecurity Malaysia (CSM) and Suruhanjaya Komunikasi dan Multimedia (SKMM), an investigation paper had been opened under Seksyen 5 Akta Pelindungan Data Peribadi (PDPA act) on several online mobile loan application that operated by Unlicensed Online Loan Provider

2.0 Impact

These providers will access, copy, and illegally keep personal data belonging through mobile loan applications from debtors including unnecessary information without debtor consent.

The data collected are later possible to be used for harassment. The list of mobile loan applications identified in Google PlayStore are as follow (01/12/2020):

  • iCredit App - mobileloan.mobile.loan
  • iPinjaman - mobileloan.mobile.loan
  • InRushTime Pte Ltd - com.ipayfren
  • FastCash2U Pte Ltd - com.gocash4u
  • SecureLend2U Pte Ltd - com.dreamlend
  • Ezy-Loan Pte Ltd - com.helplend2u
  • A-Lend - com.asialend

3.0 Malicious Functionality

Upon analysis that has been conducted on these mobile loan applications released by these loan providers, Analyst found that these mobile loan applications have invasive and extensive features that can violate victims' privacy and personal data such as:

  • In-Application activity recording.
  • Parse and upload contact information on the smartphones.
  • Parse and upload call log history in smartphones.
  • Acquiring smartphone GPS location.
  • Acquiring smartphone network information
  • Get photo count in the camera folder.
  • Uniquely fingerprinting the smartphones.

Other than that, below is the supplement infomation collected from the victims for the loan application:

  • Personal information.
  • Bank account information.
  • Social media account information such as Facebook account name.
  • Supported documents such as copy of bank statement, copy of payslip, copy of identification card, copy of utility bill, applicant photo and applicant selfie video.

4.0 Affected System and Devices

These mobile loan applications is compiled to be run and executed in Android smartphones. Affected Android API level is:

  • Android 10 - API level 29
  • Android 9.0 Pie - API level 28
  • Android 8.1 Oreo - API level 27
  • Android 8.0 Oreo - API level 26
  • Android 7.1 Nougat - API level 25
  • Android 7.0 Nougat - API level 24
  • Android 6.0 Marshmallow - API level 23
  • Android 5.1 Lollipop - API level 22
  • Android 5.0 Lollipop - API level 21

5.0 Technical Analysis

Analyst had identified several functionalities that suspected to be maliciously used in these mobile loan applications.

5.1 In-App Recording.

Once victims have established a session with the app, these applications can record victims activities within the app by using proprietary SDK to perform these tasks. As long victims are using the mobile application, video recording of victims' activities will be taken which include all user interaction and in-app activity.

5.2 Parsing and Upload Contact Information.

These applications can parse all the contact informations in victims' smartphones. This information will then be uploaded to scammer's back end server.

5.3 Parse and Upload Call Log History in Smartphones.

Among invasive features in these apps towards the victims are these mobile loan applications can parse all call log in victims' smartphone. Then, this information will be uploaded to the scammer's back-end server.

5.4 Acquiring and Identifying Smartphones GPS

These functions are called throughout the mobile loan applications to get location information from smartphones and identify victims' locations. This information will be uploaded to the scammer's back-end server.

5.5 Acquiring Network Information

These functions are called throughout the mobile loan applications to get network information from smartphones to identify and fingerprinting the smartphones based on network information. This information will be uploaded to the scammer's back-end server. Some of the function seems is not supposed to be collected by the mobile loan applications. Thus, this makes these mobile loan applications suspiciously malicious.

5.6 In-Application Recording

This part of the function that collects the count number for how many photos in the smartphones, contact number, SMS and voice call log exist in the smartphones. This information will be uploaded to the scammer's back-end server and makes these mobile loan applications suspiciously malicious. This fuction is unnecessary for these mobile loan applications especially to collect such sensitive data from victims' smartphones.

5.7 Permission Requested by the Mobile Loan Applications

These permissions requested are what enable these mobile loan applications to access several component in victim's smartphones such as Contacts, SMS inbox, Camera, GPS, Networks (WiFi and Mobile Data) and record victms's activities while using the mobile loan applications.