Internet scams are not a new thing. They’ve been around for almost as long as the internet itself, and unsuspecting people have been falling prey to them. In this report, we’re going to talk about a scam going around in India at the moment, preying on people who may or may not have taken small loans from several quick lending apps that have popped up on the Google Play Store.
Several quick finance apps have popped up on the Google Play store that lends users small amounts somewhere between 5-10k or more in some cases for durations lasting from anywhere between seven days to up to six months or even a year, depending on the app you’re using. You might not notice that while these apps may give you money, they’re also potentially leaking your information, which might let scammers get after you.
The scam we’re talking about is going around under the disguise of an app called RupeeKing, a spoof of several other legitimate lending apps on the Play Store.
How do people get targetted?
What happens here is when you take a loan from any app, you submit several documents as well as your contact information. In our case, we first started receiving these messages after we used a similar app called Cash Advance that has over 500,000 downloads on the Play Store.
Since these apps work with first-time borrowers who might not have a credit history or CIBIL score, they ask for these permissions for risk assessment. These permissions can go as far as knowing what apps are installed on your phone, SMS, location and even microphone permissions under the guise of verifying your profile and running KYC.
This is where the scammers take over. Though we haven’t been able to point out one unified source of their database yet, what seems to be happening is that the scammers get their hands on your contact information, at least your Whatsapp number and potentially your contact list and send threatening messages claiming that you have an unpaid loan. Failing to pay the loan will result in the app representative (the person messaging you) calling your family, friends and colleagues about your unpaid dues.
That in itself is enough to get the average person spooked. These messages also include a TinyURL or Bitly link to an app called RupeeKing, which isn’t on the Play Store, by the way, where the user can make the payment. Once you download the app and sideload it on your phone, you’ll see a random payment amount and some payment options.
How does the scam app work?
After receiving a number of such messages ourselves, we decided to look further into the app and investigate what was actually happening. And sure enough, when we ran their app inside an emulator (please don’t run it on your phone) it turned out to be a hardcoded dummy app that just redirects the user to the payment portal.
Now, if the poor design of the app isn’t a straight giveaway for you, this is a scam. No legitimate loan app can contact people from your contacts list. It will amount to harassment. Nonetheless, these scammers will keep spamming you, sometimes multiple times a day and each time with a different Whatsapp number until you end up paying the fake dues.
Some victims have even reported that the scammers have even called and verbally abused them trying to get people to pay. We received a call ourselves, and when we were asked whether we had repaid the fake dues or not, we sent them a spoofed location tracker link disguised as the payment proof.
The operators seem to be working behind some proxy, which immediately disconnected us from their server. Soon after, the call disconnected, and we haven’t been able to get back in touch with any of their numbers yet. We’re continuing to investigate this story and will bring you any further updates as they arrive.
Should you be worried about getting scammed?
Since we don’t exactly know where these scammers are getting their victims’ data from, there’s no telling how many people they’ve already scammed or who’s next on their list.
If you’ve taken any loans from smaller apps that don’t come from a reputed financial company, or if you’ve ever defaulted on a loan from said apps, chances are you’re already on the victim list for these scammers. We also don’t know whether the scammers actually have your contacts list or if they’re just bluffing to scare people.
However, if you haven’t taken any loans from an app that a scammer is claiming you have, or if they don’t have the right documentation, no one can threaten to call up your contacts and tell them you’re behind on a loan repayment. The best way to tackle the situation if you’re already a victim is to simply ignore any such messages and keep ahead of your dues if there are any.
Until then, be aware of this scam, don’t download random apps from the internet or even the Play Store and make sure you keep a sharp eye on any apps that are using sensitive permissions on your phone.
In the News: Google announces early access to Chrome OS Flex