Troves of data stolen by fake digital lending apps

Fake digital lending apps grabbed contact information, pictures and gained network access from their borrowers’ smartphones as part of their lending operations. As the government, regulators and investigative agencies crack down on fake digital lending apps and the Chinese nationals who were operating them, questions remain on how much data was stolen from unsuspecting customers.

Without a data protection law in place, these apps and their operators have gotten away with troves of personal information belonging to borrowers. Several borrowers have committed suicide in the last few months over the harassment they faced from purported employees working for these apps. Not only were borrowers called several times to repay their loans, but the employees would also contact family and friends of the borrowers and attempt to blackmail by posting stories and private information of the borrower on social media.

At the outset, these apps did not ask for Know-Your-Customer (KYC) information that legitimate lenders require from borrowers. Instead, they sought basic contact information from borrowers’, photocopies of official government IDs and used their apps to gain access to borrowers’ smartphone devices. The permissions these apps sought are wide ranging, more than what legitimate regulated entities ask for. The data theft achieved by these apps and their operators could possibly be the largest data theft to have taken place in the country.

KVM Prasad, Assistant Commissioner of Police for Cybercrime, Telangana State Police Department told MediaNama that they are investigating around 197 apps that have come to their notice. Prasad said that in the case servers used by these apps are abroad, there is little that the police can do retrieve it. “Unfortunately, borrowers themselves gave their Aadhaar details, Permanent Account Number, contact lists and other information to these apps,” he said.

While police officials and banks are now working to trace the money that these apps extracted from borrowers, the question remains who will trace the data that has been stolen?

Need to know

• Hundreds of new digital lending apps emerged post COVID-19
• These apps offer short-term loans at exorbitant interest rates, loans for as low as ₹3,000 at interest rates of 50-100% per annum
• App operators harass borrowers whenever there is a delay in repayment
• Lending apps on the Google Play Store cannot offer such short-term loans for less than 60 days as per Google’s policies
• Regulated lenders need to offer borrowers a minimum of 30 days for loan repayment, therefore loan tenure cannot be less than 30 days
• Regulated lenders are mandated to encrypt data or mask sensitive personal information for KYC purposes
• Fake digital lending apps use app permissions to gain unlawful access to sensitive customer information
• Google has taken down over 200 of these apps since last week

Top downloaded digital lending apps

MediaNama reviewed 10 digital lending apps that seem to be operating in India, based on data compiled by Srikanth L, co-convenor of Cashless Consumer. The database, which includes 1,000 lending apps is extensive and includes both regulated entities and unregulated entities that have developed digital lending apps, marketed on Google’s Play Store.

“From this 1,000 apps, in the last ten days 118 apps have been removed and in total 450 apps are no longer available on the Play Store, but some of them operate from abroad. The legitimate apps authorised to lend in India in the database would be around 200,” Srikanth told MediaNama. “When it comes to the links between these apps and actors sitting abroad, around 50 of these apps would be using Alibaba servers. So it is not a case of the data being transferred abroad but that it was collected abroad,” he added.

MediaNama excluded apps operating out of the Philippines, Nigeria, Vietnam or Indonesia and those whose Play Store description link out to websites or mention the licensed lender behind the operations. Further, apps that have official websites and that name their non-banking lender sponsors have been excluded. Only apps that do not have a website, have sparse information on the Play Store and that have received widespread complaints were part of the analysis.

Together, the 10 ten apps analysed by MediaNama have been downloaded over 18 million times, according to a Google Android Play Store scrapper. MediaNama reached out to the apps named above last week with queries. Responses are still awaited.

“Downloading these apps via the Play Store is only one way to download the apps. There are super apps as well on the Play Store which are linked to these apps. When you use the super apps, you are downloading an APK off the browser and using the app for loans. So the data on downloads are based on MaxInstalls on Google Play Store statistics and therefore are not the exact the actual number of downloads,” said Srikanth.

It is important to note that while Google has taken down many of these apps from its Play Store over the past few weeks and has asked the apps to report their regulatory status, MediaNama found several apps listed in CashlessConsumer’s database still available on the Play Store. Some of these apps continue to be available on the app store do not have a formal address, only provide a basic email address and do not mention their regulatory status; either as a registered non-banking finance company (NBFC) lender or a third-party service contracted by a regulated lender.

Data and permissions requested by lending apps

While regulated lenders collect personal information, contact information, bank statements, Aadhaar and other data from borrowers, they also conduct a credit bureau check to verify the borrowers’ credit health before disbursing a loan. Lenders do ask for phone permissions such as the camera for video-KYC, location and IP data of the borrower in order to safeguard against frauds, industry experts told MediaNama. But, an investigation into the unregulated apps done by MediaNama revealed that these entities go beyond what regulated lenders do, and collect more data through infiltrating the borrower’s phone.

In fact, many of these apps market themselves as ‘instant loan apps’ capable of disbursing loans in ‘5 to 10 minutes,’ without the requirement of bank statements, Aadhaar or credit bureau scores, mainly relying on grabbing information available on the smartphone device through app permissions. A list of common permissions sought by fake digital lending apps include:

• Name, phone number, email address and physical residence address (Government Identities like driving license, PAN, and others)
• Phone Contacts and call records
• Media access via Image Gallery and External Storage
• Camera access
• Microphone
• SMS
• View data network and Wifi connections
• Full network access
• Access location in the background
• Bluetooth access
• Flashlight
• Access Do Not Disturb settings
• Read, modify or delete content from internal and external storage

Facial data of borrowers also collected: “Another issue with the data collection by these apps is that they have collected images of borrowers through selfies via phones’ camera which allows facial recognition. Majority of these apps used facial recognition software available from startups either in India or abroad, which means that this would be the largest collection of facial data from local and Chinese actors,” Srikanth said.

While these companies are not authorised lenders, they have also been able to gain access to Aadhaar data in cases where they have asked borrowers to share Aadhaar details through images, for instance. In some cases, these apps have legitimate non-banking financial companies at the back-end which may or may not have access to Aadhaar Authentication User Agency (AuA) and KYC User Agency (KuA).

Srikanth said that the Aadhaar regime over time has moved away from the e-KYC regime, to a Quick-Response (QR) code One-Time-Password (OTP) methodology.  “This means that these apps can gain access to Aadhaar information without a KuA or AuA access, they can ask the borrowers to input their Aadhaar numbers on to the UIDAI website that loans inside the app and confirm it with an OTP which will download the XML files of the Aadhaar to the app. Instead of paying the UIDAI for KuA or AuA access, the QR XML model incurs no cost,” he said.

Regulated entities ask for minimal data

The RBI prescribes cyber security guidelines to regulated entities like banks, NBFCs, and payment companies. These guidelines state that all personal data, financial and non-financial, has to be stored safely. But since the unregulated apps are essentially fraudulent actors, they collect the data in a raw format and are then able to share it or sell it to third parties.

Monish Anand, chief executive officer of MyShubh Life, a full stack digital financial services company, says that these are all NINJA apps, or No-Income No-Job Assessment apps, providing loans for up to 7 to 30 days at high interest rates without an income check or KYC checks. Some of these apps advertise that they provide loans up to 12 months as well. “If anybody is not taking your KYC and if they are not asking for an income proof, there is clearly a problem. The entire lending system is based on two fundamentals, the borrowers’ intention to pay and their capacity to pay. If these apps do not ask for income proof, they are obviously running a collections-based lending operation. So I’ll give you money now and someway or somehow get the money back through nefarious collection means,” he said.

“Why do lenders need access to your call records and phone media? No lender collects such information from borrowers. The RBI working group that has been set up recently should look at data collection standards and practices as well,” Anand added.

Akshay Mehrotra, co-founder and chief executive officer, EarlySalary and co-founder of the Fintech Association for Consumer Empowerment says that lenders only have access to masked Aadhaar data belonging to their borrowers, which needs to be stored in Indian data servers and not abroad. “Not only do fintech lenders need to be audited and go though stringent financial and cyber security control system by the top firms and most our apps comply with PCI-DSS standards. We work closely with Google to ensure that the apps only gain access to the right data from the borrowers’ smartphone. We do not need access to the image gallery on the phone, we only ask for the camera to conduct KYC and we certainly do not need your contacts,” he said.

Sandeep Srinvasa, founder of RedCarpet told MediaNama that NBFCs under the RBI’s ambit have a hard-line of regulations, of which there is a requirement to not store Aadhaar details. “But this regulation only kicks in if you are a regulated entity. Today, you can partner with an NBFC and only when the data comes into the NBFC is it protected. But these unauthorised app can get access to thousands of borrowers all of whose data is not protected. This is a regulatory miss as the regulator has made the regulated lender responsible for making the third-party lead provider comply with regulations. There is a lack of regulations across the chain,” they said.

“Once the documents are uploaded to the website, the fraudster can dupe the customer through their data and also sell the data on the dark web. We shouldn’t only worry about the Chinese apps, when Indian companies can and are doing the same,” this person said.

Also read

• RBI constitutes working group on digital lending
• RBI warns customers about predatory digital lending apps
• Politicians from Tamil Nadu urge government to ban online lending apps
• Google pulls 5 unauthorised lending apps from Play Store: Report
• RBI directs banks and NBFCs to increase transparency and disclosures over digital lending platforms