Thursday, May 22, 2025
HomeAndroidPakistan Hackers Targeting Indian Android Users with Fake Loan Apps

Pakistan Hackers Targeting Indian Android Users with Fake Loan Apps

Published on

SIEM as a Service

Follow Us on Google News

Hackers in India are using fake loan applications to target Android users to take advantage of the rising demand for digital financial services by enticing consumers with instant credit offers.

These malicious apps often steal personal and financial information, which leads to identity theft and financial fraud. 

The large user base and growing reliance on mobile-based financial transactions make Indians great targets for such frauds.

- Advertisement - Google News

Cybersecurity researchers at Cyfirma recently discovered that hackers from Pakistan are actively targeting Indian Android users with fake loan applications.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Fake Loan Apps Target Android Users

Cyfirma’s team recently uncovered a malicious Android package that was tricking and luring users into taking out fake loans.

The fake loan app tricks users with instant loans, ask for personal information and manipulates selfies for extortion. 

The threat actor demands money and persistently threatens to share manipulated nude images. However, the researchers’ team seized the Android package and initiated social engineering during the ongoing incident for more details.

Cybersecurity researchers discovered the malicious app using minimal permissions for stealth. Besides this, they investigate fake loan apps with hidden malicious behavior. 

There is limited exploration of the sign-up page to protect identity, and the Moneyfine.apk prompts several types of permissions upon opening.

Permissions prompted (Source - Cyfirma)
Permissions prompted (Source – Cyfirma)

Now, after consenting to the conditions, the app directs the user to the sign-up or sign-in page, where they are prompted to click on the sign-up or sign-in button, which leads to the login/signup page, which asks for the OTP entry.

OTP Prompt (Source - Cyfirma)
OTP Prompt (Source – Cyfirma)

The malicious app exploits minimal permissions like the contacts, call logs, and camera for extortion. The low obfuscation keeps it undetected by many antivirus programs

The application operates as an instant loan app, but KYC details are used for money extortion. 

The snippet was extracted from the Android Manifest file of malicious Moneyfine.apk, and several permissions that were associated with illicit activities were discovered.

Manifest file (Source - Cyfirma)
Manifest file (Source – Cyfirma)

Permissions exploited

Here below, we have mentioned all the major permissions that are exploited:-

  • READ_CALL_LOG: This permission allows the threat actor to read call logs.
  • READ_CONTACTS: This permission allows the threat actor to read and fetch contacts.

The cybersecurity team at Cyfirma used social engineering to uncover Pakistan-based threat actors who have been recruiting individuals for Android package delivery and extortion. 

Threat actors who are connected to India were evidenced by Instagram, WhatsApp chat, and UPI payment methods. At the same time, the collaboration suggests fund redirection. 

Chats (Source - Cyfirma)
Chats (Source – Cyfirma)

The extortion post-compromise is a recurring and lucrative trend that exploits the victims’ fear for financial gain.

Diamon model (Source - Cyfirma)
Diamon model (Source – Cyfirma)

Rising extortion through fake loan apps poses serious challenges for non-tech-savvy individuals. 

As the financially motivated threat actors actively minimize the app permissions, they exploit contact lists and selfies for threatening extortion messages.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Researchers Warn of ‘Smiao Network’ Cyber Threat Against Taiwan’s Federal Staff

The Foundation for Defense of Democracies (FDD) and cybersecurity firm TeamT5 has exposed an...

Vidar and StealC Malware Delivered Through Viral TikTok Videos by Hackers

A sophisticated social engineering campaign that leverages the viral power of TikTok to distribute...

Hackers Deploy Weaponized npm Packages to Target React and Node.js JavaScript Frameworks

Socket's Threat Research Team, a series of malicious npm packages have been found lurking...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cityworks Zero-Day Vulnerability Used by UAT-638 Hackers to Infect IIS Servers with Shell Malware

Cisco Talos has uncovered active exploitation of a zero-day remote-code-execution vulnerability, identified as CVE-2025-0994,...

Researchers Warn of ‘Smiao Network’ Cyber Threat Against Taiwan’s Federal Staff

The Foundation for Defense of Democracies (FDD) and cybersecurity firm TeamT5 has exposed an...

Vidar and StealC Malware Delivered Through Viral TikTok Videos by Hackers

A sophisticated social engineering campaign that leverages the viral power of TikTok to distribute...