This research shows the use of apps such as Ustawi Loan and Hakika Loan are exploiting Tanzanian Citizens and conducting espionage in Tanzania. Similar to the research I did earlier on Bit2MeProsih that was known for exploiting victims by means of a Pig Butchering Scam that I conducted earlier that was being done by the Chinese, this one is probably one of the most fascinating and most prominent research as it is tied to the Chinese and Asian Countries at most.
Needless to say, the information referencing these apps exploitation of Tanzanian Citizens has led me to collect intelligence on these companies and report them to the Tanzanian Government. The National Office of the Prosecutor sent back a reply to confirm receipt of my message by the Director of Public Prosecutions. Information about the report and investigation will remain TLP-RED (For the eyes and ears of individual recipients only, no further disclosure) till charges are pressed on these criminals before information is released to the media, this is done to prevent the jeopardy of the Chain of Custody required for court to use the evidence submitted as admissible. Nonetheless, since this research is meant to bring awareness, it has some contents from the TLP-RED Document and the research itself is to be classified as TLP-WHITE.
As always, we will begin with providing Threat Intelligence Analysis, Dynamic Analysis then end with Static Analysis. Let’s get started on exposing these criminals. This report serves as an addition to ESET’s Research, Bleeping Computers and News9Live. Thus, concluding that Tanzanian Citizens information through this app are being sent to Chinese Servers as well and we don’t know what the Chinese do with it (Apart from the felony harassment, extortion and blackmail that victims of these spy apps receive). This research serves as a proof of spy activities being conducted by Asian Countries (China and Indonesia) against Tanzanian Citizens as well with the analysis that will be presented below. Nonetheless, since concerns about the data sent to the Chinese and Asian Servers is raising an alarm, this article, once published, will be followed up to the Government Emails and sent to the Office of the President to request National Security to perform further investigation on this because this should be a concern referencing a National Security Threat due to the espionage being conducted on our citizens by these apps.
What to do if you are a victim of this app?
Nothing (and for those who haven’t installed the app, don’t install it. For those who have installed the app, they can uninstall). By law, you are not obligated to repay an illegal lender back their money, as such will help facilitate them to continue putting you on a psychological loop that can put you on more debt than others and will help facilitate the increase of the crime in the country (As this is National Security Threat and it’s happen nationwide, it’s highly important to consider the impact this has on other victims as well. The harassment becomes felonious due to the fact that it’s crossing state lines). The means of them obtaining their money is through the high interest rate that they give you (35 to 45%) so they can earn profit and by other means including money laundering. Report the information referencing harassment to Law Enforcement and your local Financial Crimes Commission (In this case, the Bank of Tanzania). These companies aren’t registered in the country and neither are they registered under the Bank of Tanzania nor the Tanzanian Communication Regulatory Authority. They cannot have you reported to Law Enforcement (No Loan Authority can do this either) or do anything legally according to how they are harassing, extorting or blackmailing you. The crimes committed by these threat actors are felonious (Indictable Federal Offenses). By not repaying them and uninstalling the app (In case of the harassing texts, report it and ignore any further texts and calls from them), by doing so, you’re doing the country a favor by helping decrease the works of these criminals in our country as well as saving yourself from future psychological loop that would leave you in debt by illegal money lenders. Uninstalling the app will help get rid off any ability for them to further access your device and have full control over it.
Threat Intelligence Analysis of Ustawi Loan
The below information is the representation of the analysis report from Threat Intelligence Engines for the Ustawi Loan App VirusTotal. Unfortunately, we’re not giving out a Joe Sandbox Analysis for this one because their machines are pretty busy.
From here, we can see that only two engines have identified the app. Nonetheless, we can see that the Threat Analysis has identified the threat as SpyLoan. The Chinese have obfuscated the app in such a way that it detects as a form of heuristic error instead of an actual malware, which is why it isn’t identified by man anti-virus vendors. We can even see that the app has the ability to exploit Telephony Vulnerabilities (Most probably SS7), Check Network Adapters (Drivers and other devices that help connect to the internet), Check for your GPS and even perform Reflection. We can even see that it is a PUA (Potentially Unwanted Application. These are apps that pose security risks and danger to privacy).
The apps metadata has been modified in such a way that the Threat Actor made it look like it was last modified in 1981. We can see that it’s executable for Android as well and there’s only one name for it because this is the first submission that I made to the security community
We can see from here that they have stolen the certificate authority from Google and used it to authenticate their app, to make it look legitimate, when in reality, it’s actually a Trojan (A fake app disguised as legitimate to perform malicious activities)
From here, we can see the suspicious permissions that this app has. Including the ability to install an app from an unknown source.
From here, we can see more malicious references to this app being able to install other third-party apps without the users consent and a suspicious service showing the apps ability to access The Google Firebase Server (Which is mainly used to transfer or receive data)
We can see from here that the dex file was analyzed by the engine to contain the malware and we can see other bundled files that tell us more about the app such as Kotlin Development Environment being used.
We can see from here that the app has the ability to detect Virtual Machines to hinder analysis (This includes Deep Sheeps) and Has the ability to perform Command and Control through an encrypted HTTPS Connection (Which is most likely used for the exfiltration of data) and that the app is obfuscated to make security researchers find it harder to analyze it.
From here, we see that the app has access to track the phone (Current and Precise Location), Access to SIM Card Information (Which makes it possible to perform Telephony Vulnerability Attacks from gathering IMSI Number), Access to other device information such as IMEI, MEID and ESN and even has access to Media Managers on the phone and audio.
Dynamic Analysis of Ustawi Loan:
Dynamic Analysis for this app shows that the apps interface for logging in and creating an account is similar to all other SpyLoan Scam apps as referenced in the ESET, Bleeping Computers and Live9News. When opening the app, it asks to enable all the permissions before the app can be used otherwise it can’t be used. Nonetheless, after registering on the app and submitting your ID as well as biometric selfie verification, it begins to crash. You’ll try applying for a loan several times and it keeps crashing over and over again, it will also at times say that there’s a network error when the network is perfectly fine and continue crashing. After several tries, it then gives you the option to apply for the loan. While applying for the loan, it will mention the option for either 90 Days or 120 Days but after borrowing the loan, the perpetrators then change it to 7 Days.
We can see from here that the borrowing cycle for the loan applies is 120 Days. Nonetheless, after approval, the perpetrators will change it to 7 days.
From this point on, the perpetrators then have access to your Contacts, Gallery, Media, Microphone, SMS, Camera, Location and have full control over your phone. They can spy on your messages and begin texting people in your contact list, they can even begin to send harassing text messages even before the completion of the 7 Days for the loan. At this point, the only way to actually stop them from spying on you would be to uninstall the app. All the information used to apply for the loan remains on their servers, of course. An example of a felonious message which your contacts can receive is as follows (This message is felonious because it has exploited a victims device to send a harassing text to me that includes blackmailing the victim to have their identification exposed online. Other forms of crimes committed by the perpetrators of this app include extortion by means of Law Enforcement. Victims information has been redacted for Privacy):
Felonious message sent to contact list by perpetrators
The result is then that they have access to your call logs as shown in this message here where they confess that they’re accessing the device phone book through the app, they even confess to harassing members of a victims contacts and other serious actions which will be shown as static analysis will show as it goes in-depth:
Proof of harassing texts and a lot more activities with these scammers taking place, as well as them confessing their actions.
Below we can see from the victims device that continuous harassment, blackmail and extortion as well as stalking takes place with the people behind the operation of this app and it’s fraud. They even threaten you with Law Enforcement and expose your identity online, when legally, that’s not possible (Even with a reputable Loaning Lender, they can never have you reported to Law Enforcement because it’s not legal to do so and if they do bring the Police to your house, it’s likely led by lying and unless they file a false report, which you can then add up Perjury to their case (The perpetrator) and it can even cause the Law Enforcement Officer to lose their job and the fun thing is that you can even sue the Police Department for corruption, legally):
Over here, we see they’re forcing that they’re going to report to Law Enforcement and Government Agencies, while in reality, there’s actually nothing they can do legally because they’re criminals. No law has been broken by the victim here, they’re the one breaking the law and are continuing to do so.
It appears that these guys have many managers, and it’s pretty funny. So, here, we have criminal identifying himself by his name as well. Again, with threats of Law Enforcement and fining the victim (Which they can’t do because there’s nothing they can do legally). This adds up to extortion. The exposing of identity documents adds up to blackmail. Both are two different crimes and felonies.
We can see the amounts of numbers a day that they use to text the victim to intimidate them to send them their money
Over here, I intervene with the victim and explain the law to the fraudster but he acts ignorant (He even confesses the money is obtained illegally):
Where is the proof of harassment? Yeah buddy, check it up here. As soon as I told him, I’m investigating his company for felony harassment, extortion and blackmail. He kept silent and never texted again. The whole company went silent and they’re now sending fewer texts than before. Yea, they’re pretty ignorant with the Law.
The fraudsters then threaten to spread your identity online and they even send it to you personally on your WhatsApp to further intimidate you to repay their money:
We can see here, they’ve sent the victim their photo and ID to intimidate them to send them their money or else they’ll spread their information online (Extortion & Blackmail)
The reason for the redaction of the company name on WhatsApp is because it’s a company’s information is TLP-RED and we suspect it’s likely a victim’s company name being stolen to act as a legitimate company.
From here, we see the interface of the app used for accessing the victims information from their phone. They sent this themselves, which is pretty dumb.
Static Analysis of Ustawi Loan:
Here once again, we confirm the stolen Certificate Authority from Google that they are using for their app to disguise it as legitimate
From here, we can see all the suspicious permissions, intentions and activities that this app has
From here, we can see the apps ability to request the download and installation of third party apps through unknown sources from a Google Firebase Server
We can see from here, the okhttp3 which is common for apps that operate as a download to request for third-party malware installation and exfiltrate data. This is common for network connections.
We can see from here that they record every information about a persons city when they register in the app and keep track of it.
From here, we see they target this main Tanzanian Suppliers.
From here, we can see the way how they’ve obfuscated the malicious code to bypass anti-virus engines and make security researchers harder to analyze, but this code itself shows that the app is trying to connect to some kind of network interface.
From here, we can see that the app has the ability to buffer the size of files it’s able to access
From here, we see that the app has the ability to execute other apps on your devices (Nonetheless, from Dynamic Analysis. This has never been witnessed, the perpetrators are most likely not trying to alert the victim that something is going on).
From here, we see that the app has the ability to log time from your system clock
From here, it looks like the app has the ability to hash the data it collects
From here, we see the app has the ability to intercept and enumerate data from a network interface
From here, we see that the app has the ability to use a proxy to establish a HTTPS connection via SSL.
We can see that it connects using network protocols, a proxy and even establishes access to a network interface. A lot of this code is obfuscated as well.
From here, it looks like the app generates hashes for the data it collects
From here, we see the app has the ability to generate hashes for TLS Certificate for encryption. This is most likely for the content of the TLS Certificate since hashing is a one-way irreversible action.
The app has the ability to flush device cache data
Once again with cache control, it has the ability to flush cache at a specific period of time. This is why whenever you exit the app and you check back in later again, it’s logged out (a normal app would stay logged in without the cache flushed), because it flushes cache to delete potential evidence of it’s activity on your device from time to time.
The app then has the ability to put the media it’s created on the buffered sink. The buffered data is then sent back to the perpetrator.
The app has the ability to encrypt
From here, we see the app uses the encryption to encrypt the network connection
We can see from here that the app has the ability to create a DNS Request
From here, we see that the apps interceptor makes a connection to a network interface
We can see from here that the app has the ability to create files in the device storage
The app has the ability to save messages from your device in the form of an .obj file and even create directories within the device storage as well as log the information referencing these files.
We can see from here, that the app has the ability to compress a file
We can see from here, the app has an observer to observe your phones activities
We can see from here, the app has the ability to access your devices camera
Looks like this part of the code isn’t very obfuscated, but we can see what this app has the ability to record about you.
We can see from here, the app has the ability to hash the records it collects as well
From here, we see that the app has the ability to retrieve that information that it logs and records
We can see from here, the app has the ability to log your billing details
We can see from here that the app has the ability to access the camera
We can see some suspicious code here. imageButton.SetVisibility is set to 8, which means it doesn’t display the camera when taking your pictures. This is common for malware because it’s used by the perpetrator to take photos of you without you knowing. We can even see that it has the ability to check for the existence of files, create directories within the device storage and to even check for the existence of the file and retrieve it.
We can see from here, the app has access to personal information, contact information and even mobile wallet information
We can see from here that the app accesses contact information through text view
We can see from here, the app has the ability to access personal information and even hash it.
The information the app gathers includes KYC (Know Your Customer) which includes ID, Biometrics and so on
Address and other personal information is even collected by this app
We can see here, the app has the ability to collect all this information including photo, gender, birthday and more.
We can see from here, the app has the ability to access a web kit and web client through a network interface. This is likely for Command and Control (For them to spy and gather your information or for you to send them information through the app)
We can see from here, the app has access to your mobile money wallet. This means that even if you uninstall the app (It’ll stop them from spying for sure, but it won’t stop them from sending you what they call “Links” to your phone, which is a payment request within your Mobile Money wallet. Luckily, they don’t have your PIN Code which is something that you only know (and they’re most likely script kiddies who don’t know how to brute force and hack PINS), so they can’t steal your money without that PIN Code. Nevertheless, let’s not forget the apps ability to observe your phones activities (Including the screen) which likely gives them the ability to see your PIN Code, but maybe they don’t want to steal money from you because there’s no report of money stolen from this app as far as that’s concerned.
The app has the ability to capture and retrieve mobile money wallet list and information from your device through a network interface. Once again, this takes us back to the apps ability to Command and Control.
We can see more information that this app collects about you as well
Here as well, we see the information it collects
We can see from here, it saves and retrieves this information from a database within the perpetrators Command and Control Server
We can see from here, the app has the ability to hash that information it collects on you as well
The same goes for your KYC Information including Facial Biometrics
It has the ability to save and retrieve all that information
We can see from here, the app has the ability to retrieve those details and the hash code from the Command and Control Server of the perpetrator
We can see from here that the app has access to SMS
From here, we see the app has the ability to request SMS Data, Save it to the Command and Control Servers of the perpetrator and even hash the data
We can see from here, the app has the ability to request this information from victim. This most likely looks like the login page.
We can see from here, the app has the ability to save and retrieve these information.
We can see from here, the app has the ability to access your billing details including your mobile money provider and the amount of money you receive
From here, we see the app has the ability to hash that information
We can see the kind of information it collects for billing
We can see from here that the app has the ability to access your Call Log Information
The app then has the ability to save that call log information and even hash it
The app has the ability to create a copy of your call log information and send it to the Command and Control Server with information including date, name, number and the similar
We can see from here, the app has the ability to hash the information from the call logs it collects
This is how your ID is collected from the app and it’s hashed before being sent to the Command and Control Server
Threat Intelligence Report for Hakika Loan:
This will be the Threat Intelligence reports from VirusTotal.
VirusTotal Report:
The full Threat Intelligence Report can be accessed from here.
Since this app is the same as Ustawi Loan and they both belong to the same subsidiaries. It makes sense that all the information presented here will be the same as the Ustawi Loan app because all the information in it including the code is the same, except, it different interface and different name. We can see the app has the ability to perform cryptographic functions such as hashing and encryption from here, just as Ustawi Loan does. Access to network adapters, perform Telephony Attacks, Check CPU Name (Which brings us to the apps ability perform encryption. This is highly required for encrypting in any algorithm such as AES, RSA and others) and we can see it’s identified by the same threat (A Potentially Unwanted Application named Spyloan)
There’s nothing new here, just the same information as Ustawi Loan except the hashes which are supposed to be different indeed. The same information related to modification of their metadata and of course there’s no other names of submitted samples because I’m the first one to submit the sample to the security community.
Same information with the certificate, of course. They are using Googles Certificate Authority to mask themselves.
We can see suspicious permissions here, except that this app doesn’t act as a downloader for third-party software installations like the way how Ustawi Loan does.
We can see suspicious activities with the app here such as wallet, camera and contact access
We can see from here that this app has the ability to access your alarm information, system diagnostics and other system information and even has the ability to display ads
We can see from here, the app has access to device information, boot (The app has the ability to check when the phone starts), storage and even power information
We can see from here, the app has been identified to evade itself through obfuscation, but we are very aware it’s a Trojan (A program that disguises itself as legitimate but is actually fake). The app has the ability to perform Command and Control, just like Ustawi Loan.
The app has the ability to query other installed apps on your devices (Probably to anonymously open them or check them, but such a case has never been reported), It even has the ability to query stored information on your device including your WhatsApp, Gmail and cache from other apps as well as clipboard data. The app has the ability to access the internet and even query your SIM Card Provider information for performing Telephony Vulnerability Attacks
The app has the ability to query sensitive device information including GPS, IMEI, MEID and ESN as well. These are all device identifiers and the GPS for tracking.
The app has the ability to collect information from you from all apps on your phone (Gmail, WhatsApp and all other apps. This is probably why it queries app information), Location and even has the ability to record audio and other forms of media (Video and Photographs)
From here, we see that this app does in fact provide ads by Google. This proves that the perpetrators earn their money through both ads and money laundering.
From here, we see that the app has the functions to perform cryptographic encryption using Advanced Encryption Standard
IP’s including Public IP of the Command and Control Server in China
Dynamic Analysis of Hakika Loan:
The dynamic analysis results are the same as the Ustawi Loan App. You can see from here, citizens are complaining of the same issues happening with this app:
Citizens in the country complaining of issues referencing hacking. You can personally check reviews of this app yourself as well. There’s plenty of reviews like this.
Static Analysis of Hakika Loan:
We can see that the same features used by Ustawi Loan is used by Hakika Loan as well. Kotlin Development Environment and okhttp3 as well. Nonetheless, this app doesn’t have a remote installer to install third-party apps to conduct malicious activities. This is a module for network connections, and okhttp3 is also a module commonly found in apps that have the ability to function as a downloader as well.
We can see from here, the app does have the ability to connect to DNS (Domain Name System) which resolved the Command and Control Server information earlier on VirusTotal.
We can see suspicious permissions and intents that this app can perform
We can see from here, the app has access to Camera Activity, Pay Bill Activity and more. We can see the Google Ads ID as well to confirm that this app does indeed host ads.
We can see from here, the app has the ability to access the file provider and more
We can see from here, the app has the ability to access battery information, system alarm information, device storage information, is able to change the devices network connectivity and even has the ability to change the time in your phone and change the timezone as well as update the phones proxies for alarm and check if your device turned on (Booted)
The app even has the ability to request user diagnostics data as seen here
From here, we see the APK’s signature verification is the same with the CA Certificate from Google which they are using to disguise themselves.
We can see from here, the app has the ability to backup your device data to the appsflyer-data directory. This is most likely somewhere in the /data/ and the directory representing the package name of the app of your device and it’s most likely encrypted with AES before it get’s prepared to be sent to the Command and Control Server of the perpetrator where the perpetrator only has the key to decrypt the data.
We can see from here that the data extraction from this app backs data that it takes on victims to the cloud
We can see from here, the AppFlyer backs up user photos. There’s likely a chance that a directory /camera_photos will be created within the devices /data folder representing the apps package name.
We can see from here, the app extracts data from the device cache and external storage of the device to back it up to the cloud.
We can see from here, the app has the ability to get your Web Cache as well
We can see from here, the app uses conscrypt to perform AES Encryption
The ode of this app isn’t really obfuscated, so it makes it easier for security researchers to analyze it. We can see the apps ability to get that information including card, phone and so on. This is likely the apps screen for borrowing a loan from the app.
From here, we see Pay Bill Activity is recorded as well including your SIM Card information.
We can see the apps ability to access the camera here, including it’s ability to capture pictures as well
From here, we can see the apps ability access the storage for the captured images and have it saved to a URI through the API and even retrieve the file from the URI. We can ever see a little bit of obfuscation, but this app isn’t really obfuscated much. We can even see that the app saved pictures as JPEG.
Here, we see the apps ability to access the external storage of the device and get the data from it.
We can see from here, the app has the ability to read and write your devices contacts. This means it has the ability to access contact information and even modify it. The app even has the ability to get your devices accounts (WhatsApp, Gmail etc)
We can see from here, the app has the ability to check received SMS, Write SMS and even send SMS. The app even has access to it’s own SIP Trunk as well.
Conclusion:
Please consider being careful when downloading these applications. Especially loaning apps from unlicensed lenders that aren’t registered with the Financial Commission in the country (In this case, the Bank of Tanzania). Please read the this news article referencing the dangers of such apps as shown here, which is from the Bank of Tanzania. If you’d like to do your own research and use part of my research to aid to yours, please don’t forget to give credit to me. Unlicensed Illegal Vendors are subject to a fine, but because this crime is more dangerous than Illegal lending of money, it can result to years of imprisonment.
