Dodgy Microlending Apps Stalk MEA Users, Highlighting Cyber Maturity Gaps

Research emerged this week showing that mobile users in the Middle East and Africa are the third most-likely to install suspicious financial mobile apps — mainly in the form of apps purporting to offer microlending services, a popular practice in a region where many residents lack access to mainstream credit markets.

These "seemingly legitimate" financial mobile apps were found to request access to text messages, contacts and photos/videos before a loan can be provided. They then go on to collect personal data from users' smartphones as collateral in the case that the user delays a debt payment.

Unlike more legitimate microfinance options, these apps' operators ask permission to use the data collected from the smartphone in order to force the user to return the debt in various unscrupulous ways, according to Kaspersky's research. For instance, information can be dispatched to all the user's contacts informing them of the user's debt, accompanied by photos from the gallery.

"While users should certainly report any suspicious apps to Google, they also need to stay alert for apps that may ask for a little too much access to the device's resources. For example, why would a loan app need access to your camera, your photos, or other documents on your device? Always think carefully before giving permission to any app you've downloaded," says Chris Hauk, consumer privacy champion at Pixel Privacy.

Cyber Maturity in Transition

According to research by Kaspersky, throughout 2022 and the first quarter of 2023, 14% of installs of potentially unwanted mobile financial apps on Android phones were made by users in the Middle East, Turkey, Africa (META) region. Therefore, this region ranks third behind APAC and LATAM in terms of the number of installs of such apps.

There are several reasons that apps like these are making headway in the region. Paul Bischoff, consumer privacy advocate at Comparitech, points out that it's an emerging technology market, where mobile infrastructure an important and necessary tool that enables basic needs, and many users "are not prepared for the barrage of scams and malware on the Internet." For many, their mobile phone is their only computing device, their only banking outlet, their only communications link, and even their only TV.

In the case of the shady microlending apps, the fact that they're being used by people with few traditional financial options could translate to users more concerned with life goals than giving 100% attention to the apps' legitimacy and permissions. 

Another contributing factor is the lack of technology protections typically found elsewhere. For instance, even though Android holds a dominant market share of 78% in the Middle East and 80% in Africa, according to Kaspersky, Bischoff suspects some phones sold in the region may not come with access to standard Google services like the Play Store, leaving users to the vagaries of less-reputable app stores that are more likely to contain malware and other unwanted apps.

Meanwhile, Hauk says while Google does vet the apps it allows into the Google Play Store, the system is not specifically designed to check for apps like these over-permissioned lending apps, anyway.

A Multifaceted Mobile Problem

Tom Davison, senior director of engineering international at Lookout, notes that the challenge with mobile apps in the META region is multi-faceted, beyond just fully functioning apps being overzealous with the permissions they request, exposing user data. 

All the other mobile issues are present as well: Outdated versions of apps may contain known software vulnerabilities that can be exploited; and outright malicious versions of apps exist which may impersonate well-known brands, again putting users at risk. But the usual best practices, like only using trusted app stores, scrutinizing permissions requested by apps, and always applying software updates, are for now aspirational goals for many META users.

Davison notes, "The reality is, for most users, without some additional help, it can be very challenging to spot what is legitimate and what is not," especially if apps such as microlending offerings are potentially downloaded in a state of desperation, he adds.

To boot, awareness of bugs can be scattered, at best, especially given that in the Android ecosystem, it's up to every OEM to deploy its own patches, and the schedules can vary wildly between device-makers — it's a lot for a mobile-only, non-cyber-savvy person to keep up with. 

All of this underscores the need for a more institutional, private-sector, and security-company emphasis on boosting cyber fluency and maturity, awareness training, and vendor safety efforts in the region.