An Android app called Finance Simplified reached 100,000 downloads on Google Play while secretly operating as a predatory loan shark — harvesting contacts, location data every 3 seconds, SMS messages, and clipboard contents, then using that data to harass and blackmail victims who could not repay. HN57 also covers two patched Xerox printer vulnerabilities that let an attacker on your network harvest Windows Active Directory credentials through an LDAP and SMB passback attack.
Stories Covered
SpyLoan: Predatory Android Malware Bypasses Google Play
CyFirma researchers identified Finance Simplified as part of the SpyLoan malware family — apps that masquerade as financial tools or loan services but exist to harvest personal data for use in predatory lending schemes. The app was live on Google Play and accumulated over 100,000 downloads before removal. Additional variants (Credit Apple, Pocket Me, Stashfur) were found as loose APKs in the same campaign.
The deception is layered. The initial Play Store app loads a WebView that redirects users to an external EC2-hosted server, which serves different content depending on geolocation: users in India receive a list of predatory loan applications; users outside India get a benign calculator. This mirrors the anti-sandbox technique seen in traditional malware — behave innocuously when you suspect you are being analyzed, go malicious otherwise. Once a loan APK is installed, it requests broad permissions and begins exfiltrating: contacts, call logs, SMS messages, photos, documents, device location every three seconds, last 20 clipboard entries, and banking SMS transaction messages.
The extortion follows: victims who cannot meet repayment terms are threatened with edited photos or exposure of their personal data. The review trail documented users reporting exactly this — low loan amounts, extreme interest rates, and blackmail threats. The data exfiltrated is almost certainly also sold or leaked; anything harvested at this scale finds its way to other criminal pipelines eventually.
Removing the app from the Play Store does not remove it from infected devices. If you or someone you know installed a suspicious loan or financial app, uninstall it, revoke permissions for any apps you did not explicitly authorize, change passwords, and factory reset if you suspect ongoing access. The Play Store is a better baseline than third-party APK stores, but it is not a guarantee — this campaign cleared their review process at scale.
Xerox VersaLink Printers: LDAP and SMB Passback Credential Theft
Rapid7 discovered two vulnerabilities in the Xerox VersaLink C7025 multifunction printer — both now patched — that allow an attacker with network access to the printer’s admin interface to redirect its LDAP and SMB authentication requests to an attacker-controlled server, capturing Windows Active Directory credentials in cleartext.
CVE-2024-12510 (CVSS 6.7) affects the LDAP configuration: an attacker can change the LDAP server IP in the printer settings to point at their own server. When the printer next authenticates a user, it sends the credentials to the malicious server instead. CVE-2024-12511 (CVSS 7.6) works the same way against SMB and FTP scan functions. Neither vulnerability allows initial access to a system from the outside — they are lateral movement and privilege escalation tools for an attacker already on the network.
Printers are notoriously under-patched: they sit on the network indefinitely, are owned by no specific team, and are rebooted only when they stop printing. The patch for these is available. If your environment runs Xerox VersaLink hardware with LDAP or SMB scan integration configured, this is a straightforward apply-the-update situation — the window between patch release and patch deployment is exactly when these vulnerabilities get exploited.
Leave a Reply