150K+ Devices Infected by Malicious Loan Apps on iOS & Google Play Store

In a striking revelation, cybersecurity analysts have uncovered a fraudulent scheme involving the widely downloaded “RapiPlata” app, which poses as a legitimate loan provider but secretly compromises users’ financial and personal security.

Between October 2024 and March 2025, the app was available on both the Google Play Store and the Apple App Store, accumulating an estimated 150,000 downloads before its removal.

Alarmingly, RapiPlata was not a lone threat; it is connected to a larger family of malicious “SpyLoan” applications, known for their predatory behavior and data theft tactics.

SpyLoan Apps: How They Trick Users

RapiPlata and its kin, such as “Préstamo Rápido,” tricked victims with promises of quick loans and low interest rates.

After installation, users often found themselves subjected to coercive tactics: threatening messages and emails, false claims of outstanding debts, and even public shaming through unauthorized contact with their friends and family.

Victims reported being hounded for repayments on loans they never agreed to or received.

Technical Insights: Data Exploitation and Malicious Features

Beneath its veneer of financial service, RapiPlata was a malware powerhouse.

The app abused permissions to harvest vast swathes of personal data, including SMS messages, call logs, calendar events, and installed applications, uploading everything to its servers under the guise of “creditworthiness assessment.”

Advanced keyword-based SMS scanning targeted financial and generic terms, such as “saldo” (balance), “pago” (payment), and even “día” (day), extracting data far beyond what was necessary for loan processing.

RapiPlata’s functionality went further: it auto-downloaded malicious payloads from fake Google Play buttons on third-party sites, disguising its true origins.

Analysis showed that, despite app store removals, the threat remained accessible via misleading websites that mimicked official Google Play pages.

Notably, many RapiPlata and Préstamo Rápido variants have evaded detection by mainstream antivirus engines, with some showing zero detections on VirusTotal a testament to their stealthy and frequently modified code.

The Broader Threat: Exploiting iOS Security and Business Data

The impact of such malware extends not only to individual device security but also to organizational integrity.

On iOS, despite its robust security reputation, attackers have leveraged stolen SMS, call logs, calendar entries, and app lists for targeted attacks.

Calendar data exposed Zoom meeting links and business discussions, potentially allowing unauthorized access to sensitive corporate information.

Installed apps provide hackers insight into device ecosystems, supporting tailored exploits and advanced social engineering.

Check Point’s Harmony Mobile proved instrumental in detecting and blocking RapiPlata, preempting harm through the integration of machine learning and threat intelligence.

Alerting users and administrators in real time, these defenses prevented data exfiltration and malicious server communication.

Staying Protected: Vigilance and Secure Practices

As SpyLoan apps continue to evolve, users are advised to download financial apps only from official sources, carefully review app permissions, and utilize advanced mobile security solutions.

Trusted institutions should always be prioritized for financial services, as third-party apps like RapiPlata demonstrate the real risks of data theft and fraud in the digital lending space.

Industry leaders emphasize the importance of multi-layered security to protect both individuals and organizations from the increasingly sophisticated mobile threats.

IoCs

Websites:

•    https[:]//www[.]dineroya[.]co/
•    https[:]//www[.]rapiplata[.]co
•    https[:]//home[.]parkwaysas[.]co/

Payload Url:

• https[:]//t[.]copii[.]co/9YEPe

RapiPlata sha256:

• d2413262042fa01e679795298d4541a114a73574c09d93240be64303946fc7f4
  •e0028b4cfe4216f49556f4e5b6b5fd62ebd3cbce0ed774efe893e86ee65fb649
  •3f87000c43f3cc2e37019ed590da72ec0c6c663257734095c5fd9306c11a6ce5
  •ea453b597cf6610e9a7f4e87e25509d3d48e50f2fbd2cc65f3f641566448511f
  •f13238211b5df56eb8901fb2d8d11355ab4f442f24f45c79b14e60c83a1d48b9
  •cf597690738b875daddb964abc313b34049c76afb001df0f3b8bcd9f3d358826
  •afb116cf99c020419679684035ff7c4e3ecdfce6c8842108c228eef4a13058bd