Background — What Was Reported
The victim reported receiving multiple loan app notifications from applications they did not recall installing. Bank transaction alerts were being received on a device that appeared to be operating independently — SMS messages, call logs, and contacts were being accessed without user initiation.
The device had previously been used to apply for a loan through an unofficial loan application downloaded from a third-party APK distribution source rather than the Google Play Store. Within days of installation, the device began exhibiting indicators of compromise.
Initial indicators: unauthorised SMS access, unknown outbound data transfers, new device admin privilege requests appearing during normal use. Classic markers of a loan app malware campaign designed for data exfiltration.
Attack Vector — How the Malware Operated
Loan app malware in India follows a predictable but effective pattern. The fraudulent application is designed to appear legitimate — complete with onboarding flows, KYC requests, and loan amount displays. The real purpose is harvesting the device's data during the "onboarding" phase, before the victim realises no loan will ever be disbursed.
Permissions Requested (Malicious Intent)
| Permission | Stated Purpose | Actual Use | Risk |
|---|---|---|---|
| READ_SMS | OTP verification | Harvest all SMS including bank OTPs | Critical |
| READ_CONTACTS | Auto-fill referral | Extract full contact list for blackmail | Critical |
| CALL_LOG | Not stated | Map financial relationships via call patterns | Critical |
| CAMERA | KYC selfie | Silent background photo capture | Critical |
| RECORD_AUDIO | Not stated | Environmental audio surveillance | High |
| DEVICE_ADMIN | Security feature | Prevent uninstallation, persist on device | Critical |
| INSTALL_PACKAGES | App updates | Install additional malware silently | Critical |
Investigation — Six-Step Forensic Process
The investigation followed a structured mobile forensics methodology using Android Debug Bridge (ADB) — the same approach used by incident response teams at enterprise level.
Key Signals — What Made This Detectable
Several signals were present from the moment the first malicious APK was installed. These are the patterns that fraud and security teams should treat as immediate red flags:
- Sideloaded APK: The initial loan app was never distributed via the Play Store. Any financial application installed outside official stores is high-risk by default.
- Device Admin privilege request: No legitimate lending app requires device admin rights. This permission exists to prevent removal — it is a persistence mechanism, not a security feature.
- Bulk permission requests on first launch: Legitimate apps request permissions contextually. Requesting SMS, contacts, camera, microphone, and storage simultaneously on first open is a malware signature.
- INSTALL_PACKAGES permission: No user-facing application needs the ability to install other packages. This was the mechanism through which 6 additional APKs were silently installed after the first.
- Outbound data transmission without user action: Background network activity sending structured JSON payloads to external endpoints — visible in logcat output.
Detection was possible because the victim noticed anomalous battery drain and unexpected notifications — classic post-compromise indicators. Most victims of this attack pattern do not notice for weeks, by which time significant data exfiltration has occurred.
What This Demonstrates
This investigation demonstrates several capabilities relevant to platform fraud teams and security practitioners:
- Mobile forensics without specialised tools: The entire investigation was conducted using ADB — a standard Android development tool available on any machine. Enterprise-grade forensic platforms are not required for effective first-response investigation.
- Evidence-grade documentation: The timeline and logcat evidence produced in this investigation is structured to support cybercrime complaint filing under the Indian IT Act 2000 and relevant provisions.
- Victim support methodology: Beyond technical remediation, this case required victim support: explaining what had been accessed, what the attacker was likely to do with the data, and what protective steps were available. Incident response is not only technical.
- Pattern recognition for fraud teams: The permission patterns, APK installation chains, and data exfiltration signatures documented here can be used directly to build detection rules for lending platforms evaluating user-submitted KYC from potentially compromised devices.
Implications for Lending Platforms
Lending platforms in India face a specific problem: many of their victims and fraudsters operate on the same category of compromised devices. A user applying for a loan via a banking app on a device that is simultaneously running loan app malware creates a complex fraud surface:
- OTPs can be intercepted before they reach the legitimate banking app
- Device fingerprinting signals are spoofable if the malware has device admin access
- Account takeover is possible without the user being aware — SMS-based 2FA is compromised at the OS level
- Genuine users may appear as fraud actors in platform signals if their device has been compromised
Platforms that rely solely on SMS OTP for authentication and do not perform device integrity checks are operating with a significant blind spot in this threat environment.
Facing a fraud incident or unusual platform behaviour?
Zarelva provides structured fraud investigation, incident response, and platform risk assessment for fintech and AI-native products. Fixed fee. NDA from day one.