Google Play store still hosts spyware loan apps like Joy Credito - Rest of World

Created time
Jan 23, 2024 12:08 PM
For most of 2023, Ana Mariela Macías González, a 31-year-old state employee from Puebla, Mexico, told Rest of World she received tens of intimidating phone calls and texts every day. Some of the messages included altered photos of her and a text that implied she was a prostitute. Her entire contacts list, which included friends, family, and coworkers, received them too.
The calls and messages were from collectors sent by several predatory apps she had downloaded from the Google Play store, including an app called JoyCrédito. Her debt had snowballed from 1,000 pesos ($60) to almost 60,000 ($3,500) in less than six months. When the harassment became impossible to handle, she filed a police report. Macías González said she was advised by the police to ignore the calls, get rid of her phone, destroy her SIM card, and brace herself for months of more harassment to her contacts until it would finally stop. Her nightmare ended in late 2023 when the calls finally ceased, but her reputation was damaged: To this day, she said, some of her coworkers still humiliate her for the doctored photos and awful messages they received.
Macías González is not the only one who has made complaints against the predatory loan apps, known in Latin America as montadeudas or gota a gota apps. According to Mexico City’s Citizen Council for Safety and Justice, a consumer watchdog group, 135 reports to local authorities have been filed against JoyCrédito for fraud and extortion. But despite the government attention, the app is still available to download from the Google Play store.
For years, apps like JoyCrédito have been exploiting borrowers from Mexico to India. They lend small amounts of money with few requirements and very high interest rates to financially vulnerable people — and then extort them when the loan is due. After years of mounting pressure from watchdog groups, Google explicitly banned the apps from the Play store in October. But stories like those of Macías González show how widespread the apps still are — and how ineffective Google has been at enforcing its own policy.
Rest of World first raised the issue of the apps with Google Mexico on January 11, and followed up a week later with an email listing 15 instances of exploitative loan apps based in Mexico that explicitly violate the terms of the Play store. At the time of this report’s publication, all of them were still available for download in the Play store
Of the 15 apps, 12 explicitly asked for access to either the camera roll or contacts in the Google Play store’s terms of services. Two others specified full access only in external documents. One other gave no data access information.
Rest of World also found 10 apps in Peru that have been flagged as exploitative by SBS, a national body that oversees banking, insurance, and private pension. All the apps are still available for download on the Google Play store.
The apps rely on broad access to sensitive data on a user’s phone, like their contacts list or photos. Even before the loan is due, many apps will threaten users with distributing fake pornographic or incriminating photos to their family and friends if payments are not made.
Some users told Rest of World they were extorted just for downloading and opening the app on their phones, without even finishing the loan application process. Macías González reported to the police that her personal data — full name, phone number, bank account, official ID — was shared from one app to others, many of which started granting new loans on the spot. “I didn’t even download the apps but the money got deposited in my bank account, and then the harassment to pay it back with interest began,” she said. Although she had only downloaded six apps, police records showed her data ended up in about 150 apps.
Google is aware of the issue and regularly takes down predatory loan apps. In Mexico, a Google spokesperson confirmed that the company works alongside Mexico City’s Citizen Safety Bureau to closely monitor the apps due to the high volume of police reports against them.
“We take this problem very seriously and we are committed to offering a safe platform for billions of Android users,” Ricardo Zamora López, head of communications for Google Mexico, told Rest of World in a statement. “We will keep investigating and collaborating with the corresponding authorities [in Mexico] in the ongoing investigations, with whom we’ve already established a protocol.”
In theory, the apps are in violation of Android developer policies that ban personal loan apps from accessing sensitive data like the camera roll or contacts list. Apps offering short-term loans are also prohibited. But in practice, even loan apps that explicitly advertise predatory short-term loans in their terms of service can be found on the Google Play store. The terms and services of a Colombian app called LuckyPlata, which are linked in its Play store description, explicitly state that the app collects “contacts list, SMS, SMS log, and images that incidentally could have sensitive personal data.” The terms and services of Buen Dinero, a Peruvian app available on the Play store, state the app will collect the SMS log and contacts list, “including name and phone number.”
Digital rights watchdog groups told Rest of World the explicit descriptions raise the question of whether Google is reviewing apps’ terms and services at all. “The apps describe in their privacy policies all the terrible things they can do, and yet Google considers the requirement fulfilled,” said José Flores, a digital rights activist and head of communications at R3D.
In other cases, scammers evade bans by changing their name or creating a look-alike app. “These types of companies are in constant evolution,” a spokesperson for Peru’s SBS told Rest of World. “Oftentimes, after receiving public complaints, the people who manage the app will change their names so they can keep taking advantage of users.”
In Peru, a company called Alpacash-Préstamos en Perú was removed from the Google Play store in 2020, only to reemerge in 2023 as Alpacash-préstamo. In Colombia, Google banned a spyware loan app called Unicop, only to see a copycat appear under the name UnicopPro. (Its logo is exactly the same as Unicop, except for a small dollar sign.) Magicrédito, a loan app based in the Escandón neighborhood in Mexico City, was taken off the Google Play store in 2021, but returned as Quikrédito with the same registered address as its predecessor. According to data from Mexico City’s Citizen Council for Safety and Justice, 18 people formally filed a police report against Magicrédito. It has now been removed from the Google Play store.
Police reports suggest the problem is affecting tens of thousands of people across Latin America. In Colombia, more than 8,000 people filed reports against predatory loan apps with the country’s IT crime bureau last year. Peru’s national police received more than 400 reports against the apps. Between 2021 and 2023, Mexico registered more than 18,000 reports, according to Mexico City’s Citizen Council for Safety and Justice.
The reports to authorities may only capture a sliver of the problem. In May, researchers at the cybersecurity firm ESET found an 88% jump in instances of spyware loan apps in the first half of 2023.
As the spyware loan scams escalate, authorities in Colombia and Mexico have tried to tackle the issue through targeted police raids. In August 2022, Mexico City’s police raided the offices of companies linked to over 90 extortion apps, detaining 27 people who allegedly made extortion calls. A similar operation took place in Colombia in November 2023, with 9 people detained and linked to a larger criminal operation.