Joy Credito spyware loan app still available on Google Play Store

During most of 2023, Ana Mariela Macías González, a 31-year-old state employee from Puebla, Mexico, informed Rest of World that she was bombarded with dozens of intimidating phone calls and texts on a daily basis. Some of the messages included edited photos of her along with a text that suggested she was a sex worker. Her entire contacts list, which consisted of friends, family, and colleagues, also received these messages.

The phone calls and messages came from debt collectors sent by various exploitative apps she had downloaded from the Google Play store, including an app called JoyCrédito. Her debt had ballooned from 1,000 pesos ($60) to nearly 60,000 pesos ($3,500) in under six months. When the harassment became unbearable, she reported it to the police. Macías González stated that the police advised her to simply ignore the calls, get rid of her phone, destroy her SIM card, and prepare for several more months of harassment to her contacts before it would finally stop. While the calls finally stopped in late 2023, her reputation was tarnished: Some of her colleagues still make fun of her for the edited photos and terrible messages they received.

Macías González is not the only individual to have raised grievances against the exploitative loan apps, known in Latin America as montadeudas or gota a gota apps. According to Mexico City’s Citizen Council for Safety and Justice, a consumer advocacy group, 135 reports to local authorities have been filed against JoyCrédito for fraud and extortion. Despite the attention from the government, the app is still accessible for download from the Google Play store.

For years, apps like JoyCrédito have been taking advantage of borrowers from Mexico to India. They provide small loans with minimal requirements and extremely high interest rates to financially vulnerable individuals — and then blackmail them when the loan is due. After years of pressure from advocacy groups, Google explicitly prohibited the apps from the Play store in October. However, stories like those of Macías González demonstrate how widespread the apps still are — and how ineffective Google has been at enforcing its own policy.

Rest of World initially raised the issue of the apps with Google Mexico on January 11 and followed up a week later with an email listing 15 instances of exploitative loan apps based in Mexico that blatantly violate the terms of the Play store. As of the publication of this report, all of them were still available for download in the Play store.

Out of the 15 apps, 12 explicitly requested access to either the camera roll or contacts in the Google Play store’s terms of services. The terms of service of two others specified full access only in external documents. One other did not provide any data access information.

Rest of World also discovered 10 apps in Peru that have been identified as exploitative by SBS, a national entity that supervises banking, insurance, and private pension. All these apps are still available for download on the Google Play store.

The apps depend on extensive access to sensitive data on a user’s phone, such as their contacts list or photos. Before the loan is even due, numerous apps will threaten users with circulating fabricated pornographic or incriminating photos to their family and friends if payments are not made.

Some users informed Rest of World that they were extorted even just for downloading and opening the app on their phones, without completing the loan application process. Macías González reported to the police that her personal data — full name, phone number, bank account, official ID — was shared from one app to others, many of which began granting new loans immediately. “I didn’t even download the apps but the money got deposited in my bank account, and then the harassment to pay it back with interest began,” she said. Although she had only downloaded six apps, police records indicated her data had ended up in about 150 apps.

Google is cognizant of the issue and regularly removes predatory loan apps. In Mexico, a Google spokesperson confirmed that the company collaborates with Mexico City’s Citizen Safety Bureau to rigorously monitor the apps due to the high volume of police reports against them.

“We take this problem very seriously and we are dedicated to providing a secure platform for billions of Android users,” Ricardo Zamora López, head of communications for Google Mexico, told Rest of World in a statement. “We will keep investigating and collaborating with the corresponding authorities [in Mexico] in the ongoing investigations, with whom we’ve already established a protocol.”

In theory, the apps are violating Android developer policies that prohibit personal loan apps from accessing sensitive data like the camera roll or contacts list. Apps offering short-term loans are also not allowed. However, in actuality, even loan apps that overtly advertise predatory short-term loans in their terms of service can be found on the Google Play store. The terms and services of a Colombian app called LuckyPlata, which are linked in its Play store description, explicitly state that the app collects “contacts list, SMS, SMS log, and images that incidentally could have sensitive personal data.” The terms and services of Buen Dinero, a Peruvian app available on the Play store, state the app will collect the SMS log and contacts list, “including name and phone number.”

Digital rights advocate groups informed Rest of World that the explicit descriptions raise doubts about whether Google is actually reviewing the terms and services of the apps at all. “The apps describe in their privacy policies all the terrible things they can do, and yet Google considers the requirement fulfilled,” said José Flores, a digital rights activist and head of communications at R3D.

In other instances, scammers sidestep bans by altering their name or creating a look-alike app. “These types of companies are continuously evolving,” a spokesperson for Peru’s SBS told Rest of World. “Often, after receiving public complaints, the people who manage the app will change their names so they can keep taking advantage of users.”

In Peru, a company called Alpacash-Préstamos en Perú was removed from the Google Play store in 2020, only to reappear in 2023 as Alpacash-préstamo. In Colombia, Google banned a spyware loan app called Unicop, only to see a copycat appear under the name UnicopPro. (Its logo is exactly the same as Unicop, except for a small dollar sign.) Magicrédito, a loan app based in the Escandón neighborhood in Mexico City, was taken off the Google Play store in 2021, but returned as Quikrédito with the same registered address as its predecessor. According to data from Mexico City’s Citizen Council for Safety and Justice, 18 people formally filed a police report against Magicrédito, which has now been removed from the Google Play store.

Police reports indicate that the problem is affecting tens of thousands of individuals across Latin America. In Colombia, over 8,000 people filed reports against predatory loan apps with the country’s IT crime bureau last year. Peru’s national police received more than 400 reports against the apps. Between 2021 and 2023, Mexico registered over 18,000 reports, according to Mexico City’s Citizen Council for Safety and Justice.

The reports to authorities may only capture a fraction of the problem. In May, researchers at the cybersecurity firm ESET found an 88% increase in instances of spyware loan apps in the first half of 2023.
As the spyware loan scams escalate, authorities in Colombia and Mexico have attempted to address the issue through targeted police raids. In August 2022, Mexico City’s police raided the offices of companies linked to over 90 extortion apps, detaining 27 people who allegedly made extortion calls. A similar operation took place in Colombia in November 2023, with 9 people detained and linked to a larger criminal operation.

Leave a Reply

Your email address will not be published. Required fields are marked *